Apple has rolled out security patches for various products. There are a total of 59 CVEs addressing arbitrary code execution, privilege escalation, information disclosure and denial of service vulnerabilities. Five vulnerabilities in macOS are considered very critical as they allow an attacker to execute arbitrary code with kernel privileges.

A majority of the security bugs patched in this release were identified in macOS. Seven vulnerabilities in macOS could lead to arbitrary code execution, five of which allow arbitrary code execution with kernel privileges. These flaws exist due to out of bounds read and memory corruption issues. The other vulnerabilities in macOS could allow an attacker to read restricted memory, elevate privileges and perform denial of service attacks.

Three bugs were resolved in Safari, and all of them could be exploited to execute arbitrary code. An attacker could trick a user to visit a malicious website to exploit the underlying vulnerability. Additionally, three vulnerabilities in iCloud and iTunes also lead to arbitrary code execution. Two other flaws in iCloud and iTunes each, allow an attacker to elevate privileges on the target system and also gain access to user information by parsing a maliciously crafted XML file.

Recently, Google discovered an issue in the Intelligent Tracking Prevention (ITP) system included in Safari. The webkit feature was enhanced to handle the loophole. But, no fixes related to this were included in the security updates.


Apple Security Updates Summary :

Apple Security Updates October 2019 has addressed vulnerabilities in the following products:


  • Product : macOS
  • Affected OS macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
  • Affected features : ATS, Bluetooth, CFNetwork Proxies, CUPS, CallKit, FaceTime, Kernel, OpenLDAP, Security, libexpat, tcpdump
  • Impact : Arbitrary Code Execution, Privilege Escalation, Information Disclosure, Denial of Service
  • CVEs : CVE-2012-1164, CVE-2012-2668, CVE-2013-4449, CVE-2015-1545, CVE-2017-16808, CVE-2018-10103, CVE-2018-10105, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14879, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16301, CVE-2018-16451, CVE-2018-16452, CVE-2019-13057, CVE-2019-13565, CVE-2019-15161, CVE-2019-15162, CVE-2019-15163, CVE-2019-15164, CVE-2019-15165, CVE-2019-15166, CVE-2019-15167, CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8837, CVE-2019-8838, CVE-2019-8839, CVE-2019-8842, CVE-2019-8847, CVE-2019-8848, CVE-2019-8852, CVE-2019-8853, CVE-2019-8856

  • Product : iCloud for Windows
  • Affected OS : Windows
  • Affected features : CFNetwork Proxies, WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, CVE-2019-8848

  • Product : iTunes for Windows
  • Affected OS Windows
  • Affected features : CFNetwork Proxies, WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, CVE-2019-8848

  • Product : Safari 13.0.4
  • Affected OS macOS Mojave and macOS High Sierra, and included in macOS Catalina
  • Affected features : WebKit
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8835, CVE-2019-8844, CVE-2019-8846

  • Product : Xcode 11.3
  • Affected OS : macOS Mojave
  • Affected features : ld64
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8840

  • Product : watchOS 5.3.4
  • Affected OS : watchOS
  • Affected features : FaceTime
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8830

  • Product : watchOS 6.1.1
  • Affected OS watchOS
  • Affected features : CFNetwork Proxies, FaceTime, IOUSBDeviceFamily, Kernel, Security, WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8836, CVE-2019-8838, CVE-2019-8844, CVE-2019-8848, CVE-2019-8856

  • Product : tvOS 13.3
  • Affected OS : tvOS
  • Affected features : CFNetwork Proxies, FaceTime, IOUSBDeviceFamily, Kernel, Security, WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8835, CVE-2019-8836, CVE-2019-8838, CVE-2019-8844, CVE-2019-8846, CVE-2019-8848

  • Product : iOS 12.4.4
  • Affected OS :  iOS
  • Affected features : FaceTime
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8830

  • Product : iOS 13.3 and iPadOS 13.3
  • Affected OS iOS and iPadOS
  • Affected features : CFNetwork Proxies, CallKit, FaceTime, IOSurfaceAccelerator, IOUSBDeviceFamily, Kernel, Photos, Security, WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8835, CVE-2019-8836, CVE-2019-8838, CVE-2019-8841, CVE-2019-8844, CVE-2019-8846, CVE-2019-8848, CVE-2019-8856, CVE-2019-8857

 

Summary
Apple Security Updates December 2019
Article Name
Apple Security Updates December 2019
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *