Apple has launched iOS 12.2 introducing many new features. But, what’s different with this release is the number of security patches included in it. Allegedly, Apple has fixed as much as 51 different security vulnerabilities with this software release.
Critical Vulnerability In Apple ReplayKit
This week, Apple has released the second major update for iOS 12 – the iOS 12.2 – that patches major security vulnerabilities. One such vulnerability patched with this release could allow potential attackers to intercept victim conversations.
As disclosed by Apple in its detailed advisory, the vulnerability (CVE-2019-8566) existed in Apple ReplayKit. Due to this flaw in API, a potential attacker could access the target device’s microphone without alerting the user.
Apple has patched this vulnerability ‘with improved validation’.
Numerous WebKit Bugs Received Fixes
Apple has also patched 19 vulnerabilities in WebKit – the core of Safari browser. Around 11 of these 19 bugs hinted memory corruption issues, of which, 10 could lead to arbitrary code execution. Whereas, the other memory corruption issue (CVE-2019-8562) could allow a sandbox process to bypass sandbox restrictions.
The other vulnerabilities receiving fixes in this component include a logic issue triggering cross-site scripting (CVE-2019-8551), a consistency issue allowing website(s) to access the microphone without showing indicator (CVE-2019-6222), a fetch API cross-origin issue leading to information disclosure (CVE-2019-8515), two use after free vulnerabilities allowing arbitrary code execution (CVE-2019-7285 and CVE-2019-8556), a type confusion issue leading to arbitrary code execution (CVE-2019-8506), a logic issue that could allow a website “to execute scripts in the context of another website” (CVE-2019-8503), and a validation issue that could result in process memory disclosure (CVE-2019-7292).
In the entire update bundle, this component has received maximum bug fixes with iOS 12.2.
Other Vulnerabilities Fixed In iOS 12.2
Besides the above, Apple has also fixed a bunch of other important security vulnerabilities in various components. This includes a memory corruption issue in GeoServices (CVE-2019-8553) that could lead to arbitrary code execution after the user clicks on a malicious SMS link.
Alongside the release of iOS 12.2, Apple has also released updated for other products. These include security updated with Safari 12.1, iTunes 12.9.4 for Windows, macOS Mojave 10.14.4, Xcode 10.2 and tvOS 12.2.
Earlier, Apple had also patched numerous security vulnerabilities at the time of launch of iOS 12.1.