Apple yesterday released updates across a range of its products, including macOS, which goes to 10.14.4 and iOS, which is now at version 12.2.
WebKit and beyond
In terms of numbers, the system component with the most entries in the update list is Apple’s browser core, known as WebKit, which gets fixes for 13 vulnerabilities with CVE numbers.
Most of these are a predictable mixture of cross-site scripting (CVE-2019-8551), breaking out of the sandbox (CVE-2019-8562), and things that break web cross-site origin security (CVE-2019-8515).
There’s also the snoopy sounding CVE-2019-6222, by means of which:
A website may be able to access the microphone without the microphone use indicator being shown.
Echoing this is CVE-2019-8554, through which a website could track a user’s motion and orientation data.
This is similar in theme to flaw in the ReplayKit API, CVE-2019-8566, which could allow apps to record from a device’s microphone without the user realising.
Most users probably understand that devices can be used to track their web visits and behaviour. That security flaws in devices might extend this to their conversations or physical movement sounds much spookier.
A final highlight of iOS 12.2 is CVE-2019-8553, an old-school flaw in GeoServices (device geo-location) that Apple said could give attackers a path to compromise without the need for a browser:
Clicking a malicious SMS link may lead to arbitrary code execution.
The news among 38 patches in macOS Mojave users is that 10.14.4 (Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra) addresses the KeySteal flaw, a bug that was announced but not disclosed to Apple 18-year-old German researcher, Linus Henze, in early February.
Similar to a previous flaw called keychainStealer, this could have allowed a malicious app to drain passwords out of Apple’s Keychain password manager.
Initially Henze said he was going to keep the flaw to himself as a protest over the fact that Apple doesn’t reward researchers with bounties for macOS vulnerabilities.
Some days later, he relented and decided to send the bug details to Apple anyway.
Sure enough, FaceTime gets another of its regular fixes in the form of CVE-2019-8550, described by Apple as follows:
A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing.
At least this is relatively minor compared to February’s fix for CVE-2019-6223, a FaceTime eavesdropping vulnerability that caused some panic some days earlier.
What to do?
To check that you’re up to date – and to jump the queue and get the updates right away if you haven’t been offered them yet:
- On an iPhone, go to Settings → General → Software Update.
- On a Mac, go to the Apple menu, choose About This Mac and click [Software Update…].