iOS 12 Brings Patches for 16 Security Vulnerabilities
20.9.2018 securityweek
iOS

Apple this week officially released iOS 12, which patches various vulnerabilities in the mobile operating system (OS) and brings improved performance and other enhancements.

The tech giant also pushed updates for Apple TV 4K and Apple TV (4th generation) and Apple Watch Series 1 and later, with the release of tvOS 12 and watchOS 5. Safari 12 and Apple Support 2.4 for iOS were also released this week.

A total of 16 vulnerabilities were addressed with the release of iOS 12, most of which impact only iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Tracked as CVE-2018-5383, an input validation issue in Bluetooth could allow an attacker in a privileged network position to intercept Bluetooth traffic. It impacts iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation.

The remaining flaws affect components such as Accounts, Core Bluetooth, CoreMedia, IOMobileFrameBuffer, iTunes Store, Kernel, Messages, Notes, Safari, SafariViewController, Security, Status Bar, and Wi-Fi.

Some of these flaws could allow an app to read a persistent account identifier, execute arbitrary code with system privileges, learn information about the current camera view before being granted camera access, or read restricted memory.

Bugs in Messages, Notes, and Safari could allow a local user to discover a user’s deleted messages, notes, or the websites a user has visited. A flaw in iTunes Store could be exploited by an attacker in a privileged network position to spoof password prompts in the iTunes Store.

One other flaw in Safari could prevent a user from deleting browsing history items. Other flaws could allow malicious websites to exfiltrate autofilled data in Safari or could lead to address bar spoofing when visiting malicious websites.

Apple also removed the RC4 cryptographic algorithm from the platform, to prevent attackers from exploiting weaknesses in it, and addressed an issue where anyone with physical access to an iOS device could determine the last used app from the lock screen.

tvOS 12 patches 5 vulnerabilities in Bluetooth, iTunes Store, Kernel, Safari, and Security, while watchOS 5 addressed 4 bugs in iTunes Store, Kernel, Safari, and Security.

Available for macOS Sierra 10.12.6, and macOS High Sierra 10.13.6, Safari 12 patches 3 flaws, while Apple Support 2.4 for iOS addresses one bug in Analytics, which could allow an attacker in a privileged network position to intercept analytics data sent to Apple.