Apple iOS 13.4 offers fixes for 30 vulnerabilities

Apple has just announced its latest something for everyone security and feature updates for iOS, iPadOS, macOS, watchOS, and tvOS.

In terms of security, the attention grabber is iOS/iPad 13.4, which fixes 30 CVEs. Apple doesn’t rate the severity of vulnerabilities in its advisories, but we can pick out a few highlights from their descriptions.

The following apply to supported devices, namely the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

Kernel bugs

The standout here is CVE-2020-9785, through which a rogue application could execute with kernel privileges, mirroring CVE-2020-3919, an identical-sounding issue connected to the IOHIDFamily.

A third kernel flaw fixed is CVE-2020-3914, information disclosure by reading restricted memory.

WebKit

As usual, WebKit browser engine and Safari gave Apple plenty to fix, all but one of which were found by sources outside the company, including an arbitrary code execution flaw, CVE-2020-3899, credited to Google’s open source fuzzing tool, OSS-Fuzz.

Of the 10 CVEs in WebKit, another four allow arbitrary code execution, including CVE-2020-3901 and CVE-2020-9783, which could be exploited through maliciously crafted web content. The same goes for CVE-2020-3902, in which maliciously crafted content could make possible a cross-site scripting attack.

The Safari vulnerabilities, CVE-2020-9775 and CVE-2020-9781, are both relatively minor but unusual, the first causing a user’s private browsing history to be saved in the Screen Time parental control app, the second causing a user to “grant website permissions to a site they didn’t intend to.”

The WebKit fixes are mirrored in the desktop version of Safari.