It’s 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump
On Monday Apple released a fresh round of security fixes for a load of its operating systems and applications.
The July patch batch addresses vulnerabilities in iOS, MacOS, Safari, watchOS, and tvOS, though many of the updates are for common components across each of the platforms, such as the WebKit browser engine.
For iOS, the 12.4 update brings a total of 37 fixes for various components in the mobile operating system.
More than half of those CVE-listed flaws were found in WebKit, where Apple cleaned up 19 different memory corruption flaws, each potentially allowing for arbitrary code execution via poisoned web content, and three cross-site scripting vulnerabilities also get a patch.
The remaining 15 CVE entries included a flaw in the Wallet app that would cause users to inadvertently authorize purchases while on the lock screen, which was discovered by researcher Jeff Braswell. Also included is fix for a bug in the iOS Telephony software that allowed a Walkie-Talkie connection to be silently activated alongside a call, discovered by researcher Marius Alexandru Boeru and an anonymous colleague.
Project Zero’s Natalie Silvanovich was a big winner this time around, as the Google-backed bug hunter took credit for discovering vulnerabilities in Core Data (CVE-2019-8646, CVE-2019-8647 along with fellow Googler Samuel Groß, CVE-2019-8660 with Groß), Found in Apps (CVE-2019-8663), Foundation (CVE-2019-8641 with Groß), Quick Look (CVE-2019-8662 with Groß), and Siri (CVE-2019-8646).
For MacOS, a total of 44 vulnerabilities were patched in Mojave, High Sierra, and Sierra systems. These include all 22 of the WebKit CVE-entries, as well as fixing flaws in the Core Data, Found in Apps, Foundation, Quick Look, and Siri.
Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet
In addition, Apple addressed an arbitrary code execution flaw in UIFoundation triggered by Office docs (CVE-2019-8657 discovered by riusksk of VulWar Corp), a flaw in Time Machine that displayed the wrong encryption status for backups (discovered by Roland Kletzing of cyber:con GmbH) and two information disclosure flaws in the Mac graphics drivers (CVE-2019-8691 and CVE-2019-8692) reported by Trend Micro researchers Lilang Wu and Moony Li, Arash Tohidi of Solita, and researcher Aleksandr Tarasikov.
Apple’s tvOS (the firmware for the Apple TV 4K and HD) will get many of the same fixes as iOS, including the WebKit, CoreData, and Siri patches. Users can get the patch from the Settings > System > Software Updates menu.
For watchOS, 23 CVE-listed bugs were patched, all in components WatchOS shares with iOS, including WebKit. That update can be installed via the Apple Watch iOS app.
Finally, Safari on macOS will get fixes for the 22 WebKit issues as CVE-2019-8670, an address bar spoofing vulnerability spotted by researcher Tsubasa Fujii. ®
Sponsored: Balancing consumerization and corporate control
READ MORE HERE