Apple has released a new set of security fixes that address vulnerabilities in Safari, iOS, watchOS, and tvOS. It should be noted that some of the vulnerabilities were disclosed before the security updates, which opened a loophole for threat actors.
What Issues Were Fixed in iOS 12?
With the release of iOS 12, Apple focused on improving stability and reliability. However, the latest version also includes several new security-oriented features such as intelligent tracking improvements, surpressed ad targeting, and it also introduces automatic suggestion of strong passwords.
Besides these improvements, the company has addressed several security vulnerabilities:
CVE-2018-4322 – this is an Accounts vulnerability which could enable local apps to read a persistent account identifier;
CVE-2018-5383 – this is an input validation error which existed in the implementation of the communications protocol which could allow privileged attackers to intercept Bluetooth traffic;
CVE-2018-4330 – this issue is described as memory corruption. In case of exploit, attackers could execute arbitrary code;
CVE-2018-4356 – this vulnerability has been reported anonymously. It is described as a permission issue in Apple’s mobile operating system which allowed rogue applications to learn information about the user’s current camera view prior to being granted camera access;
CVE-2018-4338 – this vulnerability is a validation issue and it allowed attackers to use malicious apps to read restricted memory;
CVE-2018-4363 – this is one of the serious security issues in iOS kernel resolved in iOS 12. The bug was reported by Google Project Zero and it’s described as an input validation issue which could allow apps to read restricted memory.
Another severe vulnerability in Apple’s Messages communication platform was also fixed. The flaw is a consistency issue located in the handling of app snapshots, which could allow local attackers to discover the user’s deleted messages.
Flaws in Safari Also Patched
Several issues in Safari browser were also fixed in its latest version, Safari 12: CVE-2018-4307, CVE-2018-4329, and CVE-2018-4195. CVE-2018-4307could allow malicious websites to exfiltrate autofilled data in Safari. CVE-2018-4329 is described as an issue which could prevent to delete browsing history items. CVE-2018-4195 concerns an issue which could lead to user interface spoofing triggered by clicking on a link on a malicious website.
Other issues include a validation vulnerability in the IOMobileFrameBuffer, a password spoofing bug tracked as CVE-2018-4305 in the iTunes Store, and a flaw which could be exploited to recover deleted content from Notes.
Lastly, an encryption problem tracked as CVE-2016-1777 triggered by weakness in the RC4 cryptographic algorithm was also patched. To address the flaw, the company removed the protocol altogether.