Software

OSes

It's 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump

20 WebKit flaws among latest batch of bug fixes


On Monday Apple released a fresh round of security fixes for a load of its operating systems and applications.

The July patch batch addresses vulnerabilities in iOS, MacOS, Safari, watchOS, and tvOS, though many of the updates are for common components across each of the platforms, such as the WebKit browser engine. These should be installed as soon as possible.

For iOS, the 12.4 update brings a total of 37 fixes for various components in the mobile operating system.

More than half of those CVE-listed flaws were found in WebKit, where Apple cleaned up 19 different memory corruption flaws, each potentially allowing for arbitrary code execution via poisoned web content, and three cross-site scripting vulnerabilities also get a patch.

The remaining 15 CVE entries included a flaw in the Wallet app that would cause users to inadvertently authorize purchases while on the lock screen, which was discovered by researcher Jeff Braswell. Also included is fix for a bug in the iOS Telephony software that allowed a Walkie-Talkie connection to be silently activated alongside a call, discovered by researcher Marius Alexandru Boeru and an anonymous colleague.

Project Zero's Natalie Silvanovich was a big winner this time around, as the Google-backed bug hunter took credit for discovering vulnerabilities in Core Data (CVE-2019-8646, CVE-2019-8647 along with fellow Googler Samuel Groß, CVE-2019-8660 with Groß), Found in Apps (CVE-2019-8663), Foundation (CVE-2019-8641 with Groß), Quick Look (CVE-2019-8662 with Groß), and Siri (CVE-2019-8646).

For MacOS, a total of 44 vulnerabilities were patched in Mojave, High Sierra, and Sierra systems. These include all 22 of the WebKit CVE-entries, as well as fixing flaws in the Core Data, Found in Apps, Foundation, Quick Look, and Siri.

Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet

READ MORE

In addition, Apple addressed an arbitrary code execution flaw in UIFoundation triggered by Office docs (CVE-2019-8657 discovered by riusksk of VulWar Corp), a flaw in Time Machine that displayed the wrong encryption status for backups (discovered by Roland Kletzing of cyber:con GmbH) and two information disclosure flaws in the Mac graphics drivers (CVE-2019-8691 and CVE-2019-8692) reported by Trend Micro researchers Lilang Wu and Moony Li, Arash Tohidi of Solita, and researcher Aleksandr Tarasikov.

Apple's tvOS (the firmware for the Apple TV 4K and HD) will get many of the same fixes as iOS, including the WebKit, CoreData, and Siri patches. Users can get the patch from the Settings > System > Software Updates menu.

For watchOS, 23 CVE-listed bugs were patched, all in components WatchOS shares with iOS, including WebKit. That update can be installed via the Apple Watch iOS app.

Finally, Safari on macOS will get fixes for the 22 WebKit issues as CVE-2019-8670, an address bar spoofing vulnerability spotted by researcher Tsubasa Fujii. ®

Send us news
13 Comments

Apple tells suppliers to use 'Taiwan, China' or 'Chinese Taipei' to appease Beijing

That's the way the Cook he crumbles

Apple sued by French media over App Store power

Gros fromages take on big Pomme

Apple's secret car team tosses keys to Lamborghini lead

Just what we expect from the iGiant: Reasonably affordable, low margin, mass market technology

Apple plays the supply-chain card to explain Mac, iPad revenue shrink

Mom, what's an eye pad?

Is the Apple car real? These patents suggest yes

About 250 automotive applications in two decades – a fraction of what it files in a single year, mind

Apple ends corporate COVID mask mandate

Now will you all please return to our $5b headquarters?

Apple network traffic takes mysterious detour through Russia

Land of Putin capable of attacking routes in cyberspace as well as real world

Apple-1 prototype hand-soldered by Woz up for auction, bids expected to reach $500k

For just a few hundred thou, you can 'reimagine' dusty Jobs garage computer with a massive crack across the circuit board

Apple v Chicago streaming service tax battle ends in hushed settlement

A 9% levy on content slingers will stand in The Windy City – are others next?

Apple Pay bags Cupertino another antitrust lawsuit

If this sounds familiar, it's because the EU is investigating the same thing

Chromebooks are here to stay thanks to COVID, even though shipments crashed: IDC

Tablet sales tumble, too – except at Amazon

Apple forgoes cooling systems in M2 MacBook Air

Screwdriver fiends iFixit ponder the wisdom of a 'fanless, heatspreader-less, non-upgradable laptop'