Apple Patches 21 Vulnerabilities in WebKit
Security updates Apple released this week for iOS, macOS, Safari, tvOS and watchOS include patches for 21 vulnerabilities that affect open source web browser engine WebKit.
These bugs include 20 memory corruption issues that could lead to arbitrary code execution during the processing of maliciously crafted web content. Apple says it addressed the flaws with improved memory handling.
Additionally, the company addressed an out-of-bounds vulnerability in WebKit, which could result in the disclosure of process memory when processing of maliciously crafted web content. Apple improved input validation to resolve the issue.
The patches for all of these vulnerabilities were also included in Safari 12.1.1.
In addition to the flaws in WebKit, Apple addressed 21 other flaws in iOS. These bugs impacted components such as Contacts, Disk Images, Kernel, Lock Screen, Mail, Mail Message Framework, Photos Storage, SQLite, Status Bar, and Wi-Fi.
Exploitation of these bugs could lead to arbitrary code execution, exposure of restricted memory, system termination, kernel memory write, privilege escalation, sandbox restrictions bypass, file system modification, disclosure of process memory, or passive device tracking.
All of the issues were resolved in iOS 12.3, now rolling out to iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
A total of 45 vulnerabilities were addressed with the release of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, and Security Update 2019-003 Sierra for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.4 devices.
Impacted components included Accessibility Framework, AMD, Application Firewall, CoreAudio, Disk Images, EFI, Intel Graphics Driver, Kernel, Security, SQLite, and WebKit. The flaws could lead to arbitrary code execution, Gatekeeper checks bypass, the loading of unsigned kernel extensions, kernel memory read/write, and privilege escalation, among others.
tvOS 12.3 includes patches for 35 vulnerabilities, including the 21 flaws in WebKit. Other impacted components include CoreAudio, Disk Images, Kernel, SQLite, sysdiagnose, and Wi-Fi.
watchOS 5.2.1 was released with patches for 21 vulnerabilities, including 4 in WebKit. Other impacted components include CoreAudio, Disk Images, Kernel, Mail, Mail Message Framework, SQLite, sysdiagnose, and Wi-Fi.
Apple TV Software 7.3 arrived this week with fixes for 3 vulnerabilities impacting Bluetooth and Wi-Fi. By exploiting these flaws, an attacker may cause an unexpected application termination or arbitrary code execution, or could execute arbitrary code on the Wi-Fi chip when in range.