Stuck inside with nothing to do? Apple fires out security fixes for iOS, macOS, wrist-puters... and something weird called iTunes for Windows
Dozens of bugs swatted in latest Cupertino updates
Apple has emitted a bundle of security fixes ranging across its product lines.
The seven updates address dozens of CVE-listed flaws in the firmware and software components of Cupertino's portables and desktops. Since you're stuck inside by the coronavirus pandemic, now's a great time to get patching.
For the flagship iOS, the 13.4 update includes fixes for 30 security holes.
Among the most serious are the bugs in WebKit, the browser engine at the heart of iOS. They include remote code execution (CVE-2020-3897, CVE-2020-9783, CVE-2020-3901, CVE-2020-3895, CVE-2020-3900, CVE-2020-3899), information disclosure (CVE-2020-3894), and cross-site scripting (CVE-2020-3902) blunders.
The iOS kernel also has a potentially serious arbitrary code execution bug (CVE-2020-9785) and an information disclosure flaw (CVE-2020-3914). Both require an attacker to already be running code on a device.
Locally-exploitable arbitrary code execution flaws in Image Processing (CVE-2020-9768), IOHIDFamily (CVE-2020-3919) were also patched. As was a lock screen bypass flaw in Messages (CVE-2020-3891) and two info disclosure flaws in Safari (CVE-2020-9775, CVE-2020-9781) along with a traffic intercept bug in BlueTooth (CVE-2020-9770).
The macOS update (Catalina 10.15.4, security update 2020-002 for Mojave and High Sierra) has fixes for 26 CVE bugs. Among the more interesting are a sudo bug (CVE-2019-19232) that allows commands to be run "as a non-existent user" and a restricted memory access flaw in the Intel Graphics Driver (CVE-2019-14615) as well as what was only described as "multiple issues" in Vim (CVE-2020-9769).
Mac users will also get fixes for the above-mentioned kernel and IOHIDFamily flaws, a sign of just how close iOS and macOS have become. All of the iOS WebKit flaws are also present in the desktop Safari 13.1 update, which is no surprise as the engine powers both the desktop and mobile browsers.
Owners of other Apple gear will also want to check for updates as Apple has posted fixes for watchOS (17 CVE-listed bugs), tvOS (20 CVE entries), and iTunes for Windows (remember that baffling thing? It has 12 bugs fixed.)
Users can get the fixes via the Software Update option. ®