Hidden behind Apple’s big day of services announcements on March 25 with new TV, news and future credit card services was an item of more immediate importance to most Apple users—a set of critical security updates.
Apple updated its iOS mobile operating system to version 12.2 and its macOS Mojave desktop operating system to version 10.14.4, fixing numerous vulnerabilities that could have potentially exposed users to risk. Among the risks are flaws that could enable privilege escalation, information disclosure and arbitrary code execution.
Noticeably absent from the list of fixed vulnerabilities were new issues disclosed on March 20 at the Pwn2Own security contest. Researchers at that event were able to publicly demonstrate new zero-day flaws in Apple’s Safari web browser running on macOS. Though the flaws were demonstrated at the event, the full vulnerability details have been kept under wraps and were privately disclosed to Apple.
The new Apple software releases are the first since Apple released the iOS 12.1.4 and macOS Mojave 10.14.3 updates on Feb. 8, which patched a critical FaceTime vulnerability. Apple’s live messaging service has come under intense scrutiny in 2019 as researchers have uncovered multiple security issues. In the new iOS 12.2 and macOS Mojave 10.14.4 updates, there is yet another FaceTime flaw (CVE-2019-8550) that is being patched, though the new issue isn’t quite as impactful as past issues, which enabled attackers to activate a user’s camera without user knowledge.
“A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing,” the Apple advisory for CVE-2019-8550 states.
Siri Dictation Vulnerability
While FaceTime has been patched in the past for issues related to potential snooping with unauthorized access to a user’s camera or microphone, several troublesome issues of a similar nature were patched in the new iOS and macOS Mojave updates. Among them is an issue with Siri.
Apple’s Siri voice personal assistant is supposed to only activate when the local user initiates a request with the “Hey Siri” command. The CVE-2019-8502 vulnerability, however, is a flaw with Siri that should concern Apple users.
“A malicious application may be able to initiate a Dictation request without user authorization,” Apple warned in its advisory.
The CVE-2019-8502 issues was reported to Apple by researchers working at North Carolina State University and University Politechnica in Bucharest, Romania. According to Apple, an API issue existed in the handling of dictation requests, which has now been addressed with improved validation.
The Siri dictation flaw isn’t the only issue Apple is patching this month that involves unauthorized access to a user’s device microphone. Apple is also patching the CVE-2019-8566 issue in the ReplayKit framework, which enables users to record video and audio from apps.
“A malicious application may be able to access the microphone without indication to the user,” Apple warned in its advisory for CVE-2019-8566.
Among the more interesting flaws fixed in the new Apple updates are a pair of flaws (CVE-2019-8521, CVE-2019-8565) that were reported to Apple by a researcher using the alias “CodeColorist” of Ant-Financial LightYear Labs. The flaws involve what is generally thought to be an innocuous element of any operating system—a feedback assistant for sending feedback to a developer.
With the CVE-2019-8521 issue, Apple warned that a malicious application may be able to overwrite arbitrary files. The CVE-2019-8565 flaw on the other hand could have potentially enabled a malicious application to gain root privileges.
Beware of Malicious SMS Links
The issue of potentially malicious SMS text message links is one that Apple and other cellular device vendors have dealt with in recent years. In the iOS 12.2 update, Apple is fixing a vulnerability (CVE-2019-8553) in its GeoServices library that impacts SMS.
“Clicking a malicious SMS link may lead to arbitrary code execution,” Apple warned.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.