Apple on Friday released security updates for iOS 13 and iPadOS to address a vulnerability that allowed third-party keyboard extensions to gain “full access” without being granted permission.
The bug, Apple revealed earlier this week, only impacts devices where third-party keyboards request full access permissions, but does not affect Apple keyboards or third-party keyboards that don’t make use of full access. Full access permissions allow an app to fetch resources from a remote server.
In iOS, third-party keyboard extensions can also be designed to run entirely standalone, meaning that they won’t have access to external services.
The security flaw, which is tracked as CVE-2019-8779, could allow a malicious keyboard app to record everything the user types and send the information to the attacker’s server.
However, the risk of exploitation would be relatively low, as such a keyboard would first have to go through the Apple approval process and then downloaded and installed by the victims.
On Friday, Apple announced the release of iOS 13.1.1 and iPadOS 13.1.1, which address the issue by applying the correct sandbox restrictions to third-party app extensions.
The update, which arrived only days after the release of iOS 13, is being delivered to iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.
Earlier this week, Apple addressed another issue in iOS 13, which provided access to contacts to anyone with physical access to the device, directly from the lockscreen (CVE-2019-8775).
On Thursday, the Cupertino-based tech company released security updates for macOS, watchOS, and iOS 12.4.1.
The newly released macOS Mojave 10.14.6 Supplemental Update 2, the High Sierra Security Update 2019-005, and the Sierra Security Update 2019-005 address an out-of-bounds read vulnerability that could allow an attacker to cause unexpected application termination or arbitrary code execution.
Tracked as CVE-2019-8641 and discovered by Samuel Groß and Natalie Silvanovich of Google Project Zero, the security flaw was addressed with improved input validation.
The same vulnerability was addressed in iOS and watchOS as well, with the release of iOS 12.4.2 and watchOS 5.3.2.
These two updates are rolling out for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.6, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation, and Apple Watch Series 1 and Apple Watch Series 2.
Related: iOS 13 Bug Gives Third-Party Keyboards “Full Access” Permissions