Apple released iOS 13.4 and iPadOS 13.4 last night bringing improvements to Files, CarPlay, and Keyboard, along with new Memoji and several bug fixes and improvements. The updates also bring patches to several security issues. Some of the notable bugs getting addressed with the latest release include:
- Arbitrary code execution with system privileges
- Arbitrary code execution with kernel privileges
- User's private browsing activity may be unexpectedly saved in Screen Time
- User may grant website permissions to a site they didn't intend to
- A remote attacker may be able to cause arbitrary code execution
Google Project Zero, Trend Micro’s Zero Day Initiative, Qihoo 360, Zimperium zLabs, and several other independent researchers have helped the iPhone patching these security bugs.
Here is the complete iOS and iPadOS 13.4 security changelog:
ActionKit
Impact: An application may be able to use an SSH client provided by private frameworks
Description: This issue was addressed with a new entitlement.
CVE-2020-3917: Steven Troughton-Smith (@stroughtonsmith)
AppleMobileFileIntegrity
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-3883: Linus Henze (pinauten.de)
Bluetooth
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
Description: A logic issue was addressed with improved state management.
CVE-2020-9770: Jianliang Wu of PurSec Lab of Purdue University, Xinwen Fu and Yue Zhang of the University of Central Florida
CoreFoundation
Impact: A malicious application may be able to elevate privileges
Description: A permissions issue existed. This issue was addressed with improved permission validation.
CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG
Icons
Impact: Setting an alternate app icon may disclose a photo without needing permission to access photos
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2020-3916: Vitaliy Alekseev (@villy21)
Icons
Impact: A malicious application may be able to identify what other applications a user has installed
Description: The issue was addressed with improved handling of icon caches.
CVE-2020-9773: Chilik Tamir of Zimperium zLabs
Image Processing
Impact: An application may be able to execute arbitrary code with system privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9768: Mohamed Ghannam (@_simo36)
IOHIDFamily
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2020-3919: an anonymous researcher
Kernel
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2020-3914: pattern-f (@pattern_F_) of WaCai
Kernel
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed with improved state management.
CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team
libxml2
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size validation.
CVE-2020-3910: LGTM.com
libxml2
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz
Impact: A local user may be able to view deleted content in the app switcher
Description: The issue was resolved by clearing application previews when content is deleted.
CVE-2020-9780: an anonymous researcher, Dimitris Chaintinis
Mail Attachments
Impact: Cropped videos may not be shared properly via Mail
Description: An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video.
CVE-2020-9777
Messages
Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled
Description: A logic issue was addressed with improved state management.
CVE-2020-3891: Peter Scott
Messages Composition
Impact: Deleted messages groups may still be suggested as an autocompletion
Description: The issue was addressed with improved deletion.
CVE-2020-3890: an anonymous researcher
Safari
Impact: A user's private browsing activity may be unexpectedly saved in Screen Time
Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.
CVE-2020-9775: an anonymous researcher, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland
Safari
Impact: A user may grant website permissions to a site they didn't intend to
Description: The issue was addressed by clearing website permission prompts after navigation.
CVE-2020-9781: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
Web App
Impact: A maliciously crafted page may interfere with other web contexts
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3888: Darren Jones of Dappological Ltd.
WebKit
Impact: An application may be able to read restricted memory
Description: A race condition was addressed with additional validation.
CVE-2020-3894: Sergei Glazunov of Google Project Zero
WebKit
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory consumption issue was addressed with improved memory handling.
CVE-2020-3899: found by OSS-Fuzz
WebKit
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: An input validation issue was addressed with improved input validation.
CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2020-3895: grigoritchy
CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2020-3901: Benjamin Randazzo (@____benjamin)
WebKit
Impact: A download's origin may be incorrectly associated
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3887: Ryan Pickren (ryanpickren.com)
WebKit
Impact: Processing maliciously crafted web content may lead to code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9783: Apple
WebKit
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative
WebKit Page Loading
Impact: A file URL may be incorrectly processed
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3885: Ryan Pickren (ryanpickren.com)
For more details, head over to the official security page.
Thanks for the tip, Jesse.
