Apple patches more than 50 vulnerabilities

News by Mark Mayne

Tech giant Apple has issued a raft of bug fixes and patches to many of the company's core products, alongside a celebrity-studded unveiling of new products.

Tech giant Apple has issued a raft of bug fixes and patches to many of the company’s core products, alongside a celebrity-studded unveiling of new products.

The patches cover a host of serious vulnerabilities in mobile and desktop OS versions, browsers and iCloud and iTunes on Windows machines, affecting iPhones after iPhone 5s, iPads Air and newer, and most Macs as well as Apple TV devices. The company announced a TV and video streaming service and a new payment method, the Apple card, at the parallel launch event.

More than 50 vulnerabilities are addressed, some involving serious security vulnerabilities including memory corruption vulnerabilities. Experts were quick to decry the apparent link between patch release timing and the new product launches, with Alex Stamos, former chief security officer at Facebook, noting the severity of the bugs:

— Alex Stamos (@alexstamos) 25 March 2019

Gavin Millard, VP of intelligence at Tenable told SC Media UK that the sheer volume of potential vulnerabilities being uncovered meant that reacting immediately to each one is not practical. "While the latest batch of updates from Apple might seem a lot, with over 51 vulnerabilities in iOS version 12.2 addressed, it’s just the tip of the patch iceberg. Already this year we’ve seen in excess of 4,000 vulnerabilities published, that’s on top of the 16,500 published last year.

"Even the largest security team working around the clock would be unable to find and fix every vulnerability as it’s announced and patched – that’s assuming that the patch can be applied which often it can’t. The reality is that, while there may be thousands of vulnerabilities announced, only a tiny proportion are ever weaponised – its finding those and fixing them as a priority that will reduce an organisation’s overall risk."

"Fortunately, for a large portion of the Apple user base, these fixes will be automatically applied overnight or the next time their devices are charged and connected to Wi-Fi."

Apple’s iPhone OS saw a vast number of patches, with five kernel vulnerabilities patched, and no less than 11 WebKit flaws fixed. Inevitably, some of these involved memory corruption bugs that could be exploited by an attacker crafting specific web content, and forced Apple to improve memory handling, state, and management.

One vulnerability, CVE-2019-8551, fixes a universal cross-site scripting bug, while CVE-2019-8515 potentially would allow an attacker to glean sensitive user information. Another, CVE-2019-8562, could be leveraged to allow a process to bypass sandbox restrictions.

The full list of updates is below, and it is recommended that any vulnerable devices are updated immediately…

Apple security updates

Name and information link

Available for

Release date

iCloud for Windows 7.11

Windows 7 and later

25 Mar 2019

iTunes 12.9.4 for Windows

Windows 7 and later

25 Mar 2019

Safari 12.1

macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4

25 Mar 2019

macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra

macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3

25 Mar 2019

tvOS 12.2

Apple TV 4K and Apple TV HD previously Apple TV (4th generation)

25 Mar 2019

Xcode 10.2

macOS High Sierra 10.13.6 and later

25 Mar 2019

iOS 12.2

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

25 Mar 2019

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop