Apple’s latest security advisory contains a total of 51 security vulnerabilities. The company released iOS 12.2 to address these flaws that affect iPhone 5 and later, iPad Air and later, and iPod touch 6th generation.
51 Vulnerabilities Fixed in iOS 12.2
Most of the vulnerabilities are located in WebKit, Apple’s web rendering engine, utilized by apps and web browsers. One of these vulnerabilities is CVE-2019-6222, which could enable a website to access the microphone of the device, without any indication of use.
Another one, CVE-2019-8515, is described as a cross-origin issue with the fetch API which could be exploited by processing maliciously crafted web content to disclose sensitive user information.
CVE-2019-8503, which is also located in WebKit, is a logic issue that could have allowed malicious websites to execute scripts in the context of another site.
CVE-2019-8566 Gave Access to Microphone
However, the most alarming issue appears to be CVE-2019-8566, a vulnerability in Apple’s ReplayKit. The ReplayKit is utilized by various iOS apps, and is a component for recording and streaming audio and video feeds from a device.
According to the advisory, the vulnerability in this component would have allowed malicious applications to access microphones without indication to the user, thus letting them record or stream nearby conversations.
“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” the advisory said.
Another serious issue affects GeoServices, the component that navigates the geo-location data. Clicking a malicious SMS link could have led to arbitrary code execution due to CVE-2019-8553, a memory corruption bug.
CVE-2019-8553 was also addressed in iOS 12.2, a memory handling issue.
In fact, it turns out that memory handling flaws are among the most prevalent security bugs. According to Microsoft, 70 percent of all security vulnerabilities addressed by the company are indeed related to memory handling.
Apple also fixed several kernel issues, such as CVE-2019-8514 which could have allowed an application to gain elevated privileges, and CVE-2019-7293, which could have allowed a local user to read kernel memory.