Serious security vulnerabilities in Apple’s operating systems

Vulnerabilities make it possible to infiltrate malicious code into iPhone and Mac, warns Apple. Apps and websites can secretly activate the iPhone microphone. (Source – gravis.de)

Users of iPhone, iPad and Mac should install Apple’s operating system updates published on Monday evening without delay: iOS 12.2 and macOS 10.14.4 each close a two-digit number of security holes, including serious ones that allow malicious code to be infiltrated when accessing a manipulated website.

The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security warns that remote attackers can also use some of these vulnerabilities to take over the system – and urges updates.

Apps can turn iPhone into a bug

Due to a gap in ReplayKit, apps are also able to activate the iPhone and iPad microphone without the user noticing, as Apple explains in the detailed information on the security innovations of iOS 12.2. A WebKit vulnerability means that even manipulated websites can secretly activate the microphone, the manufacturer notes.

The vulnerability in Apple’s GeoServices allows malicious code to be executed when clicking on a manipulated link in an SMS message, Apple writes without giving further details. The vulnerability (CVE-2019-8553) was reported by an “anonymous security researcher”. According to reports, such vulnerabilities are used by government agencies, among others, to specifically take over iPhones from target persons. Apple lists a total of more than 50 vulnerabilities, which iOS 12.2 is to eliminate.

Serious vulnerabilities also in macOS

For macOS 10.14.4, Apple lists 38 plugged vulnerabilities, including a vulnerability that allows apps to read sensitive data from the Mac keychain. Malicious applications can also gain root privileges, they say. This is “extremely easy to exploit,” writes the security researcher, who reported the vulnerability to Apple. However, he wants to give details later so that users have time to update.

More Apple security updates – also for Windows

Besides the system updates for iOS 12 and macOS 10.14 Mojave, Apple has also released security updates for macOS 10.13 High Sierra and macOS 10.12 Sierra – as well as a new Mac version 12.1 of Safari, which is already included in macOS 10.14.4. Also the programming environment Xcode gets a security fix in version 10.2.

There are also security updates for Apple’s TV-Box (tvOS 12.2) and Windows users: Both iCloud and iTunes should be updated. In addition to numerous WebKit vulnerabilities, the updates also eliminate a buffer overflow that allows applications to extend permissions, as Apple explains.