Apple on Monday released iOS 12.2 to patch a total of 51 security vulnerabilities in its mobile operating system that affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
A majority of vulnerabilities Apple patched this month reside in its web rendering engine WebKit, which is used by many apps and web browsers running on the Apple’s operating system.
According to the advisory, just opening a maliciously crafted web content using any vulnerable WebKit-based application could allow remote attackers to execute arbitrary code, disclose sensitive user information, bypass sandbox restrictions, or launch universal cross-site scripting attacks on the device.
Among the WebKit vulnerabilities include a consistency issue (CVE-2019-6222) that allows malicious websites to potentially access an iOS device microphone without the “microphone-in-use” indicator being shown.
A similar vulnerability (CVE-2019-8566) has been patched in Apple’s ReplayKit API that could allow a malicious application to access the iOS device’s microphone without alerting the user.
“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” Apple says in its advisory briefing the ReplayKit bug.
Apple has also patched a serious logical bug (CVE-2019-8503) in WebKit that could have allowed malicious websites to execute scripts in the context of another site, allowing them to steal your information stored on other sites or launch a wide-range of online attacks.
Besides WebKit issues, the advisory also revealed the existence of a critical flaw in earlier iOS versions that could lead to arbitrary code execution just by convincing victims into clicking a malicious SMS link.
The SMS vulnerability, identified as CVE-2019-8553, appears to affect iPhone 5s and later, iPad Air and later, and iPod touch 6th generation devices.
Apple has also patched a total of six vulnerabilities in iOS kernel, of which CVE-2019-8527 could allow a remote attacker to crash the system or corrupt kernel memory, CVE-2019-8514 could be used to elevate privileges, and rest allow malicious apps to read memory layout.
The technical details and proof-of-concept code for the newly patched flaws are yet unavailable.
To check for the update on your iPhone or iPad, go to Settings→ General → Software Update and click the ‘Download and Install’ button.
- Google Researchers Disclose PoCs for 4 Remotely Exploitable iOS Flaws
- Latest iOS 12.1.4 Update Patches 2 Zero-Day and FaceTime Bugs
- Update Microsoft Windows Systems to Patch 99 New Security Flaws
- iOS 12.4 jailbreak released after Apple ‘accidentally un-patches’ an old flaw
- Apple Releases iOS 12.4.1 Emergency Update to Patch ‘Jailbreak’ Flaw