CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

iOS 12 Brings Patches for 16 Security Vulnerabilities

Apple this week officially released iOS 12, which patches various vulnerabilities in the mobile operating system (OS) and brings improved performance and other enhancements.

Apple this week officially released iOS 12, which patches various vulnerabilities in the mobile operating system (OS) and brings improved performance and other enhancements.

The tech giant also pushed updates for Apple TV 4K and Apple TV (4th generation) and Apple Watch Series 1 and later, with the release of tvOS 12 and watchOS 5. Safari 12 and Apple Support 2.4 for iOS were also released this week.

A total of 16 vulnerabilities were addressed with the release of iOS 12, most of which impact only iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Tracked as CVE-2018-5383, an input validation issue in Bluetooth could allow an attacker in a privileged network position to intercept Bluetooth traffic. It impacts iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation.

The remaining flaws affect components such as Accounts, Core Bluetooth, CoreMedia, IOMobileFrameBuffer, iTunes Store, Kernel, Messages, Notes, Safari, SafariViewController, Security, Status Bar, and Wi-Fi.

Some of these flaws could allow an app to read a persistent account identifier, execute arbitrary code with system privileges, learn information about the current camera view before being granted camera access, or read restricted memory.

Bugs in Messages, Notes, and Safari could allow a local user to discover a user’s deleted messages, notes, or the websites a user has visited. A flaw in iTunes Store could be exploited by an attacker in a privileged network position to spoof password prompts in the iTunes Store.

One other flaw in Safari could prevent a user from deleting browsing history items. Other flaws could allow malicious websites to exfiltrate autofilled data in Safari or could lead to address bar spoofing when visiting malicious websites.

Advertisement. Scroll to continue reading.

Apple also removed the RC4 cryptographic algorithm from the platform, to prevent attackers from exploiting weaknesses in it, and addressed an issue where anyone with physical access to an iOS device could determine the last used app from the lock screen.

tvOS 12 patches 5 vulnerabilities in Bluetooth, iTunes Store, Kernel, Safari, and Security, while watchOS 5 addressed 4 bugs in iTunes Store, Kernel, Safari, and Security.

Available for macOS Sierra 10.12.6, and macOS High Sierra 10.13.6, Safari 12 patches 3 flaws, while Apple Support 2.4 for iOS addresses one bug in Analytics, which could allow an attacker in a privileged network position to intercept analytics data sent to Apple.

Related: Attackers Abuse Age Restrictions to Hide Apps on iOS Devices

Related: Apple Rolls-Out USB Restricted Mode in iOS

Related: Apple Boosts Security in iOS 12, macOS Mojave

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.