Apple Delivers Several Security Fixes With iOS and iPadOS 13.4

Submit

Apple released iOS 13.4 and iPadOS 13.4 last night bringing improvements to Files, CarPlay, and Keyboard, along with new Memoji and several bug fixes and improvements. The updates also bring patches to several security issues. Some of the notable bugs getting addressed with the latest release include:

  • Arbitrary code execution with system privileges
  • Arbitrary code execution with kernel privileges
  • User's private browsing activity may be unexpectedly saved in Screen Time
  • User may grant website permissions to a site they didn't intend to
  • A remote attacker may be able to cause arbitrary code execution

Google Project Zero, Trend Micro’s Zero Day Initiative, Qihoo 360, Zimperium zLabs, and several other independent researchers have helped the iPhone patching these security bugs.

Google Maps is Making a Return on the Apple Watch, Also Live With Support for CarPlay’s Dashboard

Here is the complete iOS and iPadOS 13.4 security changelog:

ActionKit

Impact: An application may be able to use an SSH client provided by private frameworks

Description: This issue was addressed with a new entitlement.

CVE-2020-3917: Steven Troughton-Smith (@stroughtonsmith)

AppleMobileFileIntegrity

Impact: An application may be able to use arbitrary entitlements

Description: This issue was addressed with improved checks.

CVE-2020-3883: Linus Henze (pinauten.de)

Bluetooth

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: A logic issue was addressed with improved state management.

CVE-2020-9770: Jianliang Wu of PurSec Lab of Purdue University, Xinwen Fu and Yue Zhang of the University of Central Florida

CoreFoundation

Impact: A malicious application may be able to elevate privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

Icons

Impact: Setting an alternate app icon may disclose a photo without needing permission to access photos

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3916: Vitaliy Alekseev (@villy21)

Icons

Impact: A malicious application may be able to identify what other applications a user has installed

Description: The issue was addressed with improved handling of icon caches.

CVE-2020-9773: Chilik Tamir of Zimperium zLabs

Image Processing

Impact: An application may be able to execute arbitrary code with system privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9768: Mohamed Ghannam (@_simo36)

IOHIDFamily

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3919: an anonymous researcher

Kernel

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3914: pattern-f (@pattern_F_) of WaCai

Kernel

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

libxml2

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3910: LGTM.com

libxml2

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2020-3909: LGTM.com

CVE-2020-3911: found by OSS-Fuzz

Mail

Impact: A local user may be able to view deleted content in the app switcher

Description: The issue was resolved by clearing application previews when content is deleted.

CVE-2020-9780: an anonymous researcher, Dimitris Chaintinis

Mail Attachments

Impact: Cropped videos may not be shared properly via Mail

Description: An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video.

CVE-2020-9777

Messages

Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled

Description: A logic issue was addressed with improved state management.

CVE-2020-3891: Peter Scott

Messages Composition

Impact: Deleted messages groups may still be suggested as an autocompletion

Description: The issue was addressed with improved deletion.

CVE-2020-3890: an anonymous researcher

Safari

Impact: A user's private browsing activity may be unexpectedly saved in Screen Time

Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.

CVE-2020-9775: an anonymous researcher, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland

Safari

Impact: A user may grant website permissions to a site they didn't intend to

Description: The issue was addressed by clearing website permission prompts after navigation.

CVE-2020-9781: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

Web App

Impact: A maliciously crafted page may interfere with other web contexts

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3888: Darren Jones of Dappological Ltd.

WebKit

Impact: An application may be able to read restricted memory

Description: A race condition was addressed with additional validation.

CVE-2020-3894: Sergei Glazunov of Google Project Zero

WebKit

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-3899: found by OSS-Fuzz

WebKit

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3895: grigoritchy

CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3901: Benjamin Randazzo (@____benjamin)

WebKit

Impact: A download's origin may be incorrectly associated

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3887: Ryan Pickren (ryanpickren.com)

WebKit

Impact: Processing maliciously crafted web content may lead to code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9783: Apple

WebKit

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative

WebKit Page Loading

Impact: A file URL may be incorrectly processed

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3885: Ryan Pickren (ryanpickren.com)

For more details, head over to the official security page.

Thanks for the tip, Jesse.

Submit