Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches 21 Vulnerabilities in WebKit

Security updates Apple released this week for iOS, macOS, Safari, tvOS and watchOS include patches for 21 vulnerabilities that affect open source web browser engine WebKit.

Security updates Apple released this week for iOS, macOS, Safari, tvOS and watchOS include patches for 21 vulnerabilities that affect open source web browser engine WebKit.

These bugs include 20 memory corruption issues that could lead to arbitrary code execution during the processing of maliciously crafted web content. Apple says it addressed the flaws with improved memory handling.

Additionally, the company addressed an out-of-bounds vulnerability in WebKit, which could result in the disclosure of process memory when processing of maliciously crafted web content. Apple improved input validation to resolve the issue. 

The patches for all of these vulnerabilities were also included in Safari 12.1.1

In addition to the flaws in WebKit, Apple addressed 21 other flaws in iOS. These bugs impacted components such as Contacts, Disk Images, Kernel, Lock Screen, Mail, Mail Message Framework, Photos Storage, SQLite, Status Bar, and Wi-Fi. 

Exploitation of these bugs could lead to arbitrary code execution, exposure of restricted memory, system termination, kernel memory write, privilege escalation, sandbox restrictions bypass, file system modification, disclosure of process memory, or passive device tracking. 

All of the issues were resolved in iOS 12.3, now rolling out to iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. 

A total of 45 vulnerabilities were addressed with the release of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, and Security Update 2019-003 Sierra for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.4 devices. 

Impacted components included Accessibility Framework, AMD, Application Firewall, CoreAudio, Disk Images, EFI, Intel Graphics Driver, Kernel, Security, SQLite, and WebKit. The flaws could lead to arbitrary code execution, Gatekeeper checks bypass, the loading of unsigned kernel extensions, kernel memory read/write, and privilege escalation, among others. 

tvOS 12.3 includes patches for 35 vulnerabilities, including the 21 flaws in WebKit. Other impacted components include CoreAudio, Disk Images, Kernel, SQLite, sysdiagnose, and Wi-Fi. 

watchOS 5.2.1 was released with patches for 21 vulnerabilities, including 4 in WebKit. Other impacted components include CoreAudio, Disk Images, Kernel, Mail, Mail Message Framework, SQLite, sysdiagnose, and Wi-Fi. 

Apple TV Software 7.3 arrived this week with fixes for 3 vulnerabilities impacting Bluetooth and Wi-Fi. By exploiting these flaws, an attacker may cause an unexpected application termination or arbitrary code execution, or could execute arbitrary code on the Wi-Fi chip when in range. 

Related: Apple Patches Vulnerabilities in iOS, macOS, Safari

Related: Apple, Oracle, VMware Software Hacked at Pwn2Own 2019

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.