Security updates released by Apple on Tuesday for its macOS, iOS, tvOS, watchOS, Safari, iCloud and iTunes products address tens of new vulnerabilities.
The advisory published by Apple for macOS lists over 70 CVE identifiers. This includes vulnerabilities affecting third-party components and flaws that were previously addressed by Apple and for which patches were now backported to older versions of the operating system.
The security holes patched this week can be exploited for arbitrary code execution, privilege escalation, information leakage, and denial-of-service (DoS) attacks.
The more interesting vulnerabilities include a crypto issue discovered by a team of researchers from two universities, flaws that allow applications to execute code with elevated privileges, and a user interface spoofing bug in the Mail app. The latest updates for macOS 10.14 Mojave also patch Variant 3a of the speculative execution bugs known as Spectre and Meltdown, and some vulnerabilities discovered by researcher Patrick Wardle, including one disclosed shortly after the launch of Mojave.
Apple has also patched over 20 vulnerabilities in iOS 12. This includes several FaceTime issues discovered by Natalie Silvanovich of Google Project Zero. The researcher found four memory corruptions that could result in data leaks or arbitrary code execution. Some of these flaws allow a remote attacker to execute code by initiating a FaceTime call, Apple said.
iOS 12.1 also resolves two lockscreen bypass vulnerabilities disclosed recently by Jose Rodriguez, known for his YouTube channel videosdebarraquito. Rodriguez found that the passcode can be bypassed on an iPhone by leveraging the VoiceOver (CVE-2018-4387) and Notes (CVE-2018-4388) features. The researcher discovered these weaknesses just days after Apple released patches for similar passcode bypass methods that he had previously found.
Many of the iOS vulnerabilities were also patched by Apple in tvOS and watchOS, both of which are based on the mobile operating system. Some of the flaws were also found to impact Safari and the iTunes and iCloud applications for Windows.
Code analysis firm Semmle on Tuesday disclosed the details of a code execution vulnerability discovered by one of its researchers. Apple first fixed the bug in September with the release of iOS 12 and macOS Mojave, but this week it also backported the patches to macOS Sierra and High Sierra.
Related: Mac Apps From Apple’s App Store Steal User Data, Researchers Say
Related: Google Criticizes Apple Over Safari Security, Flaw Disclosures
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
