Apple released yesterday iOS version 12.2 that, like never before, includes fixes for a considerable number of security-related issues, including some that are downright disturbing.
In total, the company fixed 51 security flaws. Probably the scariest security bug, at first glance, is CVE-2019-8566, a vulnerability in Apple’s ReplayKit. Used by various iOS apps, this is a component for recording and streaming audio and video feeds from a device.
Apple said a bug that existed in this component would have allowed malicious applications to access microphones without indication to the user, and surreptitiously record or stream nearby conversations.
“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” Apple said.
Code execution via SMS links
Another major issue fixed in this release is the one affecting iOS GeoServices, the component responsible for working with geo-location data.
Apple said that it patched a bug reported by an anonymous researcher who discovered out a way to execute code on iOS devices by sending links in SMS messages. If the user clicked these malformed links, then the attacker would have been able to run malicious code on the device.
The vulnerability (CVE-2019-8553) was attributed to a memory handling issue and patched in iOS 12.2. Memory handling bugs aren’t a problem for Apple alone, and Microsoft said earlier this year that nearly 70 percent of all security bugs it patches on a yearly basis are memory handling related issues.
WebKit bugs galore
But the GeoServices SMS link bug wasn’t the only memory-related bug fixed in iOS 12.2. Similar memory corruption issues that could also lead to code execution with elevated privileges were also fixed in the IOKit SCSI and Power Management components.
WebKit, which is the heart of the Safari browser, also suffered from similar memory corruption issues that could lead to malicious code execution.
Apple fixed not one, but 13 of these bugs –CVE-2019-8535, CVE-2019-6201, CVE-2019-8518, CVE-2019-8523, CVE-2019-8524, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-8536, CVE-2019-8544, CVE-2019-7285, CVE-2019-8556, and CVE-2019-8506.
WebKit was, by far, the component that received the most security fixes overall. Besides code execution vulnerabilities, Apple also fixed a universal cross-site scripting (XSS) flaw that impacted the WebKit engine and worked on any website (CVE-2019-8551), along with a dangerous sandbox escape issue (CVE-2019-8562) that could have allowed malicious code to escape from the browser process and run on the underlying OS.
In addition, Denis Markov of Resonance Software found that malicious websites may also be able to access a user’s microphone without a visual indicator being shown (CVE-2019-6222).
KeySteal zero-day receives a fix
These are just a summary of the most dangerous security bugs fixed in iOS and its components. Some bugs, like the Safari and WebKit issues, also impact other Apple products where they are also embedded.
The release of iOS 12.2 at Apple’s glitzy event yesterday may have caught everybody’s eye because of the release of the Apple News Plus and Apple Card services, but users would be doing themselves a bigger favor if they update to get the iOS 12.2 security patches instead.
In addition, updating macOS to the latest 10.14.4 release will also patch the KeySteal zero-day that became public at the start of February 2019, and which can allow malicious threat actors to steal passwords from the macOS Keychain.