Apple has issued email advisories covering 11 security flaws in its software and hardware products, with the fixes being available through the latest updates.
The remedying roll-outs of Apple’s operating system versions for both desktop and mobile devices came in quick succession after these security alerts reached the general public. Patches are always welcome, especially if they are deployed proactively so that cybercriminals get hardly any chance to exploit weaknesses. This time, though, the Cupertino tech company has surprised the community with how overarching these updates are. First off, the scope is demonstrated by the vast software and hardware coverage. The devices receiving critical security patches include ones that run iOS 12.4.7 / 13.5, iPadOS 13.5, macOS Mojave / High Sierra / Catalina 10.15.5, watchOS 5.3.7 / 6.2.5, and tvOS 13.4.5. This update is also applicable to the following software frameworks: Safari 13.1.1, Windows Migration Assistant 18.104.22.168, iTunes 12.10.7 for Windows, and iCloud versions 7.19 / 11.2 for Windows. For the record, the Safari update arrives with the Catalina patch.
Another side of the matter is about the gist of vulnerabilities addressed by this move from Apple. In the case of the Windows Migration Assistant, it’s a DLL loading bug that may be leveraged to dupe users into executing a previously downloaded sketchy application. All in all, based on the above-mentioned 11 alerts, there are more than 60 security imperfections tackled by the update. A good deal of them prevent attackers from elevating their privileges on a device, executing arbitrary shell commands, reading kernel traffic, intercepting Bluetooth communications, triggering a denial-of-service scenario, pulling off remote code execution, leaking memory, or causing a system crash.
Most of these patches mitigate the damage that can be precipitated by malicious applications, web content, websites emails, audio files, videos, PDF documents, processes, and USB devices. For instance, it keeps unwanted apps from bypassing sandbox mechanisms, gaining root privileges, altering protected file system components, revealing memory contents, and circumventing Privacy preferences. In the context of specially crafted malicious emails, the fixes take care of heap corruption and unexpected memory changes. An extra facet of the updates keeps dubious web content from causing cross site scripting (XSS) attacks, process memory disclosure, and arbitrary code execution. Now that the patches are live, offensive websites can no longer capture auto-filled information in Safari. Furthermore, attacks that could allow USB devices to cause a denial-of-service situation will stop in their tracks.
Although most of these security flaws alone aren’t single points of failure (SPOFs), they can fuel successful attacks if combined. For example a privilege escalation vulnerability can be paired with a sandbox evasion technique to fly below the radar of built-in system protection. Also, by crashing a legitimate application, an attacker may be able to pull off remote code execution. Unfortunately, there are plenty of such combos that can play into perpetrators’ hands. To steer clear of these issues, users should head to their devices’ Software Update page and apply the patches without delay.