Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Multiple Code Execution Flaws in Audio Components

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems.

The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS.

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems.

The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS.

The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.

All of the vulnerabilities could be exploited by supplying a maliciously crafted audio file to ultimately execute arbitrary code on the affected systems.

A total of 19 issues were patched in macOS, including vulnerabilities in Clang, CoreAudio, CoreFoundation, Crash Reporter, Graphics Drivers, Heimdal, ImageIO, Kernel, Mail, Messages, Model I/O, Security, Vim, and Wi-Fi.

These could lead to arbitrary code execution, leak of sensitive information, sandbox escape, injection of data into active connections within a VPN tunnel, denial of service, unexpected application termination, system termination, or corrupt kernel memory.

iOS 13.6 and iPadOS 13.6 address a total of 29 vulnerabilities, including most of those patched in macOS. The platforms also include patches for bugs in Bluetooth, GeoServices, iAP, Kernel, Safari Login AutoFill, Safari Reader, WebKit, WebKit Page Loading, WebKit Web Inspector, and Wi-Fi.

These could lead to code execution, mitigation bypass, denial of service, application termination, bypass of Same Origin Policy, prevention of Content Security Policy enforcement, Pointer Authentication bypass, or command injection.

Advertisement. Scroll to continue reading.

The update is now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

tvOS 13.4.8 was released this week with patches for 20 of these vulnerabilities, while watchOS 6.2.8 addresses 19 of them.

Safari 13.1.2, available for macOS Mojave and macOS High Sierra, and included in macOS Catalina, brings fixes for a total of 11 flaws in Safari Downloads, Login AutoFill, Reader, WebKit, WebKit Page Loading, and WebKit Web Inspector.

Apple also announced the release of iOS 12.4.8 (for iPhone 5s, iPhone 6 and 6 Plus, iPad Air, iPad mini 2 and 3, iPod touch 6th generation), watchOS 5.3.8 (for Apple Watch Series 1, 2, 3, and 4), and Xcode 11.6 (for macOS Mojave 10.15.2 and later) this week, but says that these have no published CVEs.

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Related: Apple Patches Over 40 Vulnerabilities in macOS Catalina

Related: Apple Acquires Device Management Company Fleetsmith

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.