Apple has just announced its latest something for everyone security and feature updates for iOS, iPadOS, macOS, watchOS, and tvOS.
In terms of security, the attention grabber is iOS/iPad 13.4, which fixes 30 CVEs. Apple doesn’t rate the severity of vulnerabilities in its advisories, but we can pick out a few highlights from their descriptions.
The following apply to supported devices, namely the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.
Kernel bugs
The standout here is CVE-2020-9785, through which a rogue application could execute with kernel privileges, mirroring CVE-2020-3919, an identical-sounding issue connected to the IOHIDFamily.
A third kernel flaw fixed is CVE-2020-3914, information disclosure by reading restricted memory.
WebKit
As usual, WebKit browser engine and Safari gave Apple plenty to fix, all bar one of which were found by sources outside the company, including an arbitrary code execution flaw, CVE-2020-3899, credited to Google’s open source fuzzing tool, OSS-Fuzz.
Of the 10 CVEs in WebKit, another four allow arbitrary code execution, including CVE-2020-3901 and CVE-2020-9783, which could be exploited through maliciously crafted web content. The same goes for CVE-2020-3902, in which maliciously crafted content could make possible a cross-site scripting attack.
The Safari vulnerabilities, CVE-2020-9775 and CVE-2020-9781, are both relatively minor but unusual, the first causing a user’s private browsing history to be saved in the Screen Time parental control app, the second causing a user to “grant website permissions to a site they didn’t intend to.”
The WebKit fixes are mirrored in the desktop version of Safari.
Bluetooth
Bluetooth is another interface that often causes problems. This time it’s CVE-2020-9770, through which an attacker with authenticated network access could intercept Bluetooth traffic from another iOS device.
A final one to watch is CVE-2020-3891, which an attacker with physical access to a locked iOS device could reply to messages even when that function is disabled.
The macOS update takes Catalina to version 10.15.4 (security update 2020-002 for Mojave and High Sierra), fixing 27 CVE-level flaws.
Several of these are the same flaws fixed separately in iOS, namely CVE-2020-9785 and CVE-2020-3914 affecting the kernel, and CVE-2020-3919 in the IOHIDFamily.
Others include CVE-2019-14615, a low-priority fix for an Intel graphics driver vulnerability dating back to January, and CVE-2019-19232, an issue with sudo in the terminal window which could allow an attacker to run commands as a non-existent user.
And it wouldn’t be an Apple update without at least one fix for FaceTime, CVE-2020-3881.
Safari reaches 13.1 with fixes for 11 CVE bugs, all but one of which are, predictably, the same WebKit flaws fixed separately in iOS 13.4.
What to do?
To check you’re up to date:
- On an iPhone or iPad, go to Settings > General > Software Update.
- On a Mac, go to the Apple menu, choose About This Mac and click Software Update.
If your device has already updated automatically, you will see this on the update screen. If not, it will let you know about the update and offer to install it for you.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.