Apple delivers security patches, plugs an RCE achievable via FaceTime
Apple has released a new set of updates for its various products, plugging a wide variety of vulnerabilities.
WatchOS, tvOS, Safari and iCloud
Let’s start with “lightest” security updates:
iCloud for Windows 7.10 brings fixes for memory corruption, logic and type confusion issues in the WebKit browser engine, all of which can be triggered via maliciously crafted web content and most of which may lead to arbitrary code execution.
The update also carries patches for three potential RCE vulnerabilities in the SQLite library, which can be exploited via a maliciously crafted SQL query.
Safari 12.0.3 carries all the same WebKit fixes and plugs a cross-site scripting issue in Safari Reader.
watchOS 5.1.3 and tvOS 12.1.2 plug nearly all of the aforementioned security holes.
In addition to that, the tvOS update fixes:
- Several flaws that may allow a malicious app or a sandbox process to break out of its sandbox
- A bucketload of kernel vulnerabilities that could be used by malicious apps to elevate privileges, execute arbitrary code with kernel privileges or cause unexpected changes in memory shared between processes
- CVE-2019-6224, a buffer overflow that could allow a remote attacker to achieve arbitrary code execution by simply initiating a FaceTime call.
All of those issues have been also fixed in the watchOS update. Another fixed vulnerability worth mentioning is CVE-2019-6219, a denial of service issue affecting the Natural Language Processing component, which could be triggered by a maliciously crafted message.
The macOS and iOS updates
Finally, lets turn to the traditionally heftier security updates. They have a lot of fixes in common:
- The already mentioned SQLite, kernel, and sandbox-circumventing flaws, as well as CVE-2019-6224 and CVE-2019-6219
- CVE-2019-6200, a man-in-the-middle code execution flaw over Bluetooth
- CVE-2019-6211, a memory corruption issue in WebRTC (the component that allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication), which could allow attackers to perform code execution.
Additionally, iOS 12.1.3 carries the WebKit fixes (while macOS updates don’t – those are left to the Safari update) and patches CVE-2019-6206, a glitch in the password autofill capability.
The macOS updates plug security holes in the Intel Graphics Driver, the Hypervisor and QuartzCore components, all of which can be exploited by malicious applications.