Windows 10 News and info | Forum
August 20, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: iOS 12.2 Patches Over 50 Security Vulnerabilities  (Read 206 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30354


I Do Windows


WWW Email
« on: March 26, 2019, 10:09:12 AM »
ReplyReply

Apple released today security updates for iOS, fixing 51 vulnerabilities in version 12.2 of the operating system. The products impacted are iPhone 5s and later, iPad Air and newer, 6th generation iPods.

Products running tvOS - Apple TV 4K and Apple TV HD, which is based on iOS to a large degree, should be updated to 12.2 as they are also affected by 36 of the same vulnerabilities.

The list of patches covers a wide variety of bugs an adversary could potentially manipulate to obtain effects like denial-of-service, privilege escalation, and information disclosure to gaining root privileges, overwriting arbitrary files, or executing code of the attacker's choice.

19 issues reported in Webkit

Referring to a batch of serious memory corruption vulnerabilities addressed in iOS 12.2, Alex Stamos, reputed security professional, and former chief security officer at Facebook, noted that maybe Apple's big media events should not coincide with their round of bug fixes.



By far, most of the vulnerabilities were in Webkit, the web browser engine Apple uses in many of its products, including Safari, Mail, and App Store.

Most prevalent among them were memory corruption bugs that could be exploited to lead to arbitrary code execution via processing maliciously crafted web content.

Apple dealt with these errors by improving memory handling, state, and management.

Another memory-related problem, tracked as CVE-2019-8562, could be leveraged to allow a process to bypass sandbox restrictions. In this case, the solution was to improve validation checks.

Also affecting Webkit in previous versions of iOS is a flaw (CVE-2019-6222) that permits websites to access the microphone without showing any sign of the active state.

The same effect would be obtained through a separate bug (CVE-2019-8566) in ReplayKit component for recording or streaming video from the screen, and audio from an app or straight from the microphone.

Apple's list of security improvements for the current iOS release informs that an attacker could use two vulnerabilities for universal cross-site scripting (XSS) - CVE-2019-8551, and to learn sensitive user information (CVE-2019-8515).

Additionally, an adversary could take advantage of a different Webkit bug (CVE-2019-8503) that allows a website to execute scripts in the context of another website.

Kernel trouble and malicious SMS

Six issues affect the kernel in earlier iOS versions, which could cause a system crash or corruption (CVE-2019-8527), allow malicious apps to read memory layout (CVE-2019-8540, CVE-2019-6207, CVE-2019-8510), or gain elevated privileges (CVE-2019-8514).

Exploiting CVE-2019-7293 enables a local user to read kernel memory and extract sensitive information present there.

An interesting vulnerability reported by an anonymous researcher is CVE-2019-8553, which affects the GeoServices component.

Apple's brief explanation of its impact notes that an attacker could send the victim a "malicious SMS link" to obtain arbitrary code execution.

Apple's inventory of security patches is impressive not only because of the high number of problems being addressed but also through the seriousness of some of the vulnerabilities. Applying these updates should happen as soon as possible, as they pose significant risks to the security of the products they affect.

source
Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page July 22, 2019, 11:36:42 PM