This week, tech giant Apple released new security updates for iOS, macOS, tvOS, Safari, and iCloud and iTunes for Windows, underscoring a number of vulnerabilities in these products.
WebKit was the most affected component, pinpointed for 19 vulnerabilities. The web browser engine influences a wide range of applications across many platforms, including iOS and macOS.
The defects highlighted in WebKit could lead to widespread cross site scripting, random code execution, information revelation, and disclosure of process memory. One virus could allow a sandboxed procedure to evade sandbox restrictions, while another allows websites to access the microphone without any indicator to the user.
To resolve these problems, Apple took some concrete measures by including patches for the WebKit defects in the updates for iOS, Safari, tvOS, iTunes for Windows, and iCloud for Windows. With the release of iOS 12.2 this week, including the 19 in WebKit, a total of 40 flaws were highlighted.
Misuse of these flaws could lead to renunciation of service, privilege appreciation, information revelation, arbitrary code execution, kernel memory disclosure, unexpected system termination, S/MIME signature spoofing, user tracking, or in overwriting arbitrary files.
Patches for as many as 38 susceptibilities were included in the newly released macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra, while only one flaw was highlighted in Xcode 10.2, a memory corruption that could let an application perform arbitrary code with kernel privileges. The issue was addressed with improved input validation.
iTunes 12.9.4 for Windows also addresses 19 faults, i.e. 18 in WebKit and 1 in CoreCrypto. iCloud for Windows 7.11 identifies 20 viruses: 17 in WebKit, and 3 affecting CoreCrypto, iTunes, and Windows Installer.