Apple today released security updates for iOS, fixing 51 vulnerabilities of version 12.2 of the operating system. The products concerned are the iPhone 5s and later, iPad Air and the new 6th generation iPods.
Products running tvOS – Apple TV 4K and Apple TV HD, which relies to a large extent on iOS, should be updated to 12.2, as they are also affected by 36 of the same vulnerabilities.
The list of patches covers a wide variety of bugs that an opponent could potentially manipulate to achieve such effects as denial of service, elevation of privilege, and disclosure of information in order to obtain root privileges, d & # 39; To overwrite arbitrary files or to execute code chosen by the attacker.
19 issues reported in Webkit
Referring to a batch of serious memory corruption vulnerabilities fixed in iOS 12.2, Alex Stamos, renowned security professional and former security officer at Facebook, said that major media events at Apple may not be coincide with their series of bug fixes.
Apple has fixed some very serious bugs in iOS 12.2. Update now!
Once again, this raises the question of whether Apple should associate its security patch schedule with major media events. This is not "Patch Tuesday", it's "Patch Keynote". pic.twitter.com/F8fCoJmh2v
– Alex Stamos (@alexstamos) March 25, 2019
By far, most of the vulnerabilities involved Webkit, the web browser engine used by Apple in many of its products, including Safari, Mail and App Store.
Among these, the most common were memory corruption issues that could be exploited to lead to arbitrary code execution via maliciously crafted Web content processing.
Apple solved these errors by improving the management, state, and memory management.
Another memory-related issue, tracked as CVE-2019-8562, could be exploited to allow a process to bypass sandbox restrictions. In this case, the solution was to improve the validation checks.
Another flaw (CVE-2019-6222), which allows websites to access the microphone without showing any sign of active status, also affects Webkit in previous versions of iOS.
The same effect would be obtained via a separate bug (CVE-2019-8566) in the ReplayKit component for recording or streaming videos from the screen and audio from the An application or directly from the microphone.
The list of Apple enhancements to security for the current iOS version indicates that an attacker could use two vulnerabilities for cross-site scripting (XSS) – CVE-2019-8551 and to learn confidential user information (CVE- 2019-8515).
In addition, an opponent could take advantage of another Webkit bug (CVE-2019-8503) allowing a website to run scripts in the context of another website.
Core problem and malicious SMS
Six issues affecting the kernel of earlier versions of iOS, which can cause system crash or corruption (CVE-2019-8527), allow malicious applications to read the memory structure (CVE-2019-8540, CVE- 2019-6207, CVE-2019-8510), or obtain elevated privileges (CVE-2019-8514).
The exploitation of CVE-2019-7293 allows a local user to read kernel memory and retrieve sensitive information that is found there.
An interesting vulnerability reported by an anonymous researcher is CVE-2019-8553, which affects the GeoServices component.
The brief explanation of its impact by Apple indicates that an attacker could send the victim a "malicious SMS link" in order to obtain arbitrary code execution.
The inventory of Apple's security patches is impressive, not only because of the high number of issues solved, but also because of the severity of some of these vulnerabilities. The application of these updates should take place as quickly as possible as they pose significant risks to the safety of the products that they affect.