Apple released security updates for multiple products today. A total of 49 vulnerabilities were addressed. The exploitation of some of these security flaws could allow an attacker to take control of an affected system. Adobe also released an out-of-band security update for critical arbitrary file deletion vulnerability in Creative Cloud.
Critical vulnerabilities in Apple products
The update for macOS includes fixes for 27 vulnerabilities, which could allow an attacker to execute arbitrary code with kernel privileges, disclose sensitive information, escalate privileges, cause memory corruption, etc.
A total of 11 vulnerabilities have been fixed in Apple Safari. Arbitrary code execution or cross-site scripting attacks could be carried out using maliciously crafted web content and an application may be able to read restricted memory. Apple fixed this issue by including additional validations.
A type confusion issue was present in Apple iTunes which could be used to process maliciously crafted web content leading to arbitrary code execution. This vulnerability was addressed with improved memory handling.
A race condition issue was addressed in Apple iCloud for Windows 7 and Windows 10 through Windows Store. Successful exploitation may allow an application to read restricted memory.
Critical security update for Adobe Creative Cloud
The time-of-check to time-of-use (TOCTOU) race condition vulnerability is regarded as critical in severity and can result in arbitrary file deletion. Creative Cloud is a set of applications and services from Adobe Inc. A user can subscribe and can get access to a collection of software such as Adobe Photoshop, Adobe Premiere Pro, After Effects, etc. which can be used for graphic design, video editing, photography and various other applications.
This vulnerability which allows an attacker to delete arbitrary files occurs due to a race condition i.e when two or more systems or processes access shared resources and intend to modify the data. The time-of-check to time-of-use race condition checks for the specified resources and at the same time uses the result from the resource check performed. If successfully exploited, an attacker can delete arbitrary files on the target system.
Adobe has released updates to fix this vulnerability. We strongly recommend installing these security updates as soon as possible.
Apple Security Updates Summary for March 2020 and Adobe Creative Cloud Out-of-Band Security Update:
-
- Affected OS: macOS Catalina, Mojave and High Sierra
- Affected features: HSSPI Support, AppleGraphicsControl, AppleMobileFileIntegrity, Bluetooth, Call History, CoreFoundation, FaceTime, Icons, Intel Graphics Driver, IOHIDFamily, IOThunderboltFamily, Kernel, libxml2, Mail, sudo, TCC, Time Machine, Vim
- Impact: Information Disclosure, Privilege Escalation, arbitrary code execution, memory corruption
-
- CVEs: CVE-2019-14615, CVE-2019-19232, CVE-2019-8853, CVE-2020-3851, CVE-2020-3881, CVE-2020-3883, CVE-2020-3884, CVE-2020-3889, CVE-2020-3892, CVE-2020-3893, CVE-2020-3903, CVE-2020-3904, CVE-2020-3905, CVE-2020-3906, CVE-2020-3907, CVE-2020-3908, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3912, CVE-2020-3913, CVE-2020-3914, CVE-2020-3919, CVE-2020-9769, CVE-2020-9773, CVE-2020-9776, CVE-2020-9785
- Affected OS: macOS Mojave, macOS High Sierra, and macOS Catalina
- Affected features: Safari Downloads, WebKit, WebKit Page Loading
- Impact: Information Disclosure, Cross-Site scripting, Incorrect file URL processing, Arbitrary code execution
- CVEs: CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-9783, CVE-2020-9784
- Affected OS: Windows 7 and later
- Affected features: libxml2, WebKit, WebKit Page Loading
- Impact: Incorrect file URL processing, Cross-Site scripting, Arbitrary code execution
- CVEs: CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-9783
- Affected OS: Apple TV 4K and Apple TV HD
- Affected features: ActionKit, AppleMobileFileIntegrity, Icons, Image Processing, IOHIDFamily, Kernel, libxml2, WebKit, WebKit Page Loading
- Impact: Information Disclosure, Incorrect file URL processing, Arbitrary Code Execution, Privilege Escalation
- CVEs: CVE-2020-3883, CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3914, CVE-2020-3917, CVE-2020-3919, CVE-2020-9768, CVE-2020-9773, CVE-2020-9783, CVE-2020-9785
- Affected OS: watchOS
- Affected features: ActionKit, AppleMobileFileIntegrity, CoreFoundation, Icons, Image Processing, IOHIDFamily, Kernel, libxml2, Messages, WebKit
- Impact: Arbitrary Code Execution, Privilege Escalation, Information Disclosure
- CVEs: CVE-2020-3883, CVE-2020-3891, CVE-2020-3895, CVE-2020-3897, CVE-2020-3900, CVE-2020-3901, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3913, CVE-2020-3914, CVE-2020-3916, CVE-2020-3917, CVE-2020-3919, CVE-2020-9768, CVE-2020-9773, CVE-2020-9785
- Affected OS: iOS and iPadOS
- Affected features: ActionKit, Bluetooth, AppleMobileFileIntegrity, CoreFoundation, Icons, Image Processing, IOHIDFamily, Kernel, libxml2, Mail, Mail Attachments, Messages, Messages Composition, Safari, Web App, WebKit, WebKit Page Loading
- Impact: Arbitrary Code Execution, Privilege Escalation, Information Disclosure
- CVEs: CVE-2020-3883, CVE-2020-3885, CVE-2020-3887, CVE-2020-3888, CVE-2020-3890, CVE-2020-3891, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3913, CVE-2020-3914, CVE-2020-3916, CVE-2020-3917, CVE-2020-3919, CVE-2020-9768, CVE-2020-9770, CVE-2020-9773, CVE-2020-9775, CVE-2020-9777, CVE-2020-9780, CVE-2020-9781, CVE-2020-9783, CVE-2020-9785
- Product: iCloud
- Affected OS: Windows 7 and Windows 10
- Affected features: libxml2, WebKit, WebKit Page Loading
- Impact: Arbitrary Code Execution, Cross-Site scripting, Incorrect file URL processing
- CVEs: CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-9783
- Product: Adobe Creative Cloud 5.0 and earlier versions
- Affected OS : Windows
- Impact: Arbitrary file deletion
- CVEs: CVE-2020-3808
SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.