Apple Releases Security Fixes for iOS & macOS
Apple has released a bundle of security fixes across its product lines.
The updates address flaws in the firmware and software components of Cupertino's portables and desktops.
For the flagship iOS, the 13.4 update includes fixes for 30 security holes.
Among the most serious are the bugs in WebKit, the browser engine at the heart of iOS. They include remote code execution (CVE-2020-3897, CVE-2020-9783, CVE-2020-3901, CVE-2020-3895, CVE-2020-3900, CVE-2020-3899), information disclosure (CVE-2020-3894), and cross-site scripting (CVE-2020-3902) blunders.
The iOS kernel also has a potentially serious arbitrary code execution bug (CVE-2020-9785) and an information disclosure flaw (CVE-2020-3914). Both require an attacker to already be running code on a device.
Locally-exploitable arbitrary code execution flaws in Image Processing (CVE-2020-9768), IOHIDFamily (CVE-2020-3919) were also patched. As was a lock screen bypass flaw in Messages (CVE-2020-3891) and two info disclosure flaws in Safari (CVE-2020-9775, CVE-2020-9781) along with a traffic intercept bug in BlueTooth (CVE-2020-9770).
The macOS update (Catalina 10.15.4, security update 2020-002 for Mojave and High Sierra) has fixes for 26 CVE bugs. Among the more interesting are a sudo bug (CVE-2019-19232) that allows commands to be run "as a non-existent user" and a restricted memory access flaw in the Intel Graphics Driver (CVE-2019-14615) as well as what was only described as "multiple issues" in Vim (CVE-2020-9769).
Mac users will also get fixes for the above-mentioned kernel and IOHIDFamily flaws, a sign of just how close iOS and macOS have become. All of the iOS WebKit flaws are also present in the desktop Safari 13.1 update, which is no surprise as the engine powers both the desktop and mobile browsers.