Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches 22 Vulnerabilities in WebKit

Apple this week released a new set of patches to address various security flaws across its product portfolio, including 22 bugs impacting WebKit.

Apple this week released a new set of patches to address various security flaws across its product portfolio, including 22 bugs impacting WebKit.

Most of these vulnerabilities, Apple has revealed, could be exploited for the arbitrary execution of code during the processing of maliciously crafted web content. The vulnerabilities are memory corruption issues that have been addressed with improved memory handling.

A total of 19 such flaws were addressed, along with 3 other vulnerabilities that could lead to universal cross site scripting. Also triggered by maliciously crafted web content, these vulnerabilities were addressed with improved state management.

All 22 vulnerabilities impact iOS and were addressed with the release of iOS 12.4 this week. The platform update also addresses 15 other flaws in Core Data, FaceTime, Found in Apps, Foundation, Heimdal, libxslt, Messages, Profiles, Quick Look, Siri, Telephony, UIFoundation, and Wallet.

These flaws could result in memory leaks, arbitrary code execution, unexpected application termination, the intercepting of communications between services to perform unauthorized actions, viewing sensitive information, and restricted access to websites. 

The vulnerability addressed in Telephony could allow the initiator of a phone call “to cause the recipient to answer a simultaneous Walkie-Talkie connection,” Apple explains in an advisory.

Earlier this month, the company disabled the Walkie-Talkie app on the Apple Watch after being informed that a serious vulnerability in the application could be exploited to spy on users. 

A total of 44 vulnerabilities were addressed with the release of macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, including the aforementioned 22 bugs in WebKit.

Advertisement. Scroll to continue reading.

The remaining flaws impact AppleGraphicsControl, autofs, Bluetooth, Carbon Core, Core Data, Disk Management, FaceTime, Found in Apps, Foundation, Grapher, Graphics Drivers, Heimdal, IOAcceleratorFamily, libxslt¸ Quick Look, Safari, Security, Siri, Time Machine, and UIFoundation. 

Exploitation of these security issues could lead to reading restricted memory, Gatekeeper bypass, arbitrary code execution, memory leaks, unexpected application termination, performing unauthorized actions by intercepting communications between services, viewing sensitive information, or address bar spoofing. 

tvOS 12.4 was released with patches for a total of 32 vulnerabilities, including those in WebKit. The remaining issues were found in Core Data, Foundation, Heimdal, libxslt, Profiles, Quick Look, Siri, and UIFoundation, and could lead to arbitrary code execution, memory leak, unexpected application termination, or restricted access to websites. 

watchOS 5.3 arrived with patches for 23 flaws, only 9 of which impact WebKit. The remaining issues affect Core Data, Digital Touch, FaceTime, Foundation, Heimdal, libxslt, Messages, Quick Look, Siri, UIFoundation, and Wallet. 

Of the 23 flaws addressed with the release of Safari 12.1.2, only one impacts Safari and could lead to address bar spoofing when visiting a malicious website. The remaining 22 flaws impact WebKit. 

Related: Flaw in Walkie-Talkie App on Apple Watch Allows Spying

Related: Apple Patches 21 Vulnerabilities in WebKit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.