Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems.
The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS.
The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.
All of the vulnerabilities could be exploited by supplying a maliciously crafted audio file to ultimately execute arbitrary code on the affected systems.
A total of 19 issues were patched in macOS, including vulnerabilities in Clang, CoreAudio, CoreFoundation, Crash Reporter, Graphics Drivers, Heimdal, ImageIO, Kernel, Mail, Messages, Model I/O, Security, Vim, and Wi-Fi.
These could lead to arbitrary code execution, leak of sensitive information, sandbox escape, injection of data into active connections within a VPN tunnel, denial of service, unexpected application termination, system termination, or corrupt kernel memory.
iOS 13.6 and iPadOS 13.6 address a total of 29 vulnerabilities, including most of those patched in macOS. The platforms also include patches for bugs in Bluetooth, GeoServices, iAP, Kernel, Safari Login AutoFill, Safari Reader, WebKit, WebKit Page Loading, WebKit Web Inspector, and Wi-Fi.
These could lead to code execution, mitigation bypass, denial of service, application termination, bypass of Same Origin Policy, prevention of Content Security Policy enforcement, Pointer Authentication bypass, or command injection.
The update is now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.
tvOS 13.4.8 was released this week with patches for 20 of these vulnerabilities, while watchOS 6.2.8 addresses 19 of them.
Safari 13.1.2, available for macOS Mojave and macOS High Sierra, and included in macOS Catalina, brings fixes for a total of 11 flaws in Safari Downloads, Login AutoFill, Reader, WebKit, WebKit Page Loading, and WebKit Web Inspector.
Apple also announced the release of iOS 12.4.8 (for iPhone 5s, iPhone 6 and 6 Plus, iPad Air, iPad mini 2 and 3, iPod touch 6th generation), watchOS 5.3.8 (for Apple Watch Series 1, 2, 3, and 4), and Xcode 11.6 (for macOS Mojave 10.15.2 and later) this week, but says that these have no published CVEs.
Related: Apple Patches Recent iPhone Jailbreak Zero-Day
Related: Apple Patches Over 40 Vulnerabilities in macOS Catalina
Related: Apple Acquires Device Management Company Fleetsmith