Apple released security updates for multiple products today. A total of 49 vulnerabilities were addressed. The exploitation of some of these security flaws could allow an attacker to take control of an affected system. Adobe also released an out-of-band security update for critical arbitrary file deletion vulnerability in Creative Cloud.


Critical vulnerabilities in Apple products

The update for macOS includes fixes for 27 vulnerabilities, which could allow an attacker to execute arbitrary code with kernel privileges, disclose sensitive information, escalate privileges, cause memory corruption, etc.

A total of 11 vulnerabilities have been fixed in Apple Safari. Arbitrary code execution or cross-site scripting attacks could be carried out using maliciously crafted web content and an application may be able to read restricted memory. Apple fixed this issue by including additional validations.

A type confusion issue was present in Apple iTunes which could be used to process maliciously crafted web content leading to arbitrary code execution. This vulnerability was addressed with improved memory handling.

A race condition issue was addressed in Apple iCloud for Windows 7 and Windows 10 through Windows Store. Successful exploitation may allow an application to read restricted memory.


Critical security update for Adobe Creative Cloud

The time-of-check to time-of-use (TOCTOU) race condition vulnerability is regarded as critical in severity and can result in arbitrary file deletion. Creative Cloud is a set of applications and services from Adobe Inc. A user can subscribe and can get access to a collection of software such as Adobe Photoshop, Adobe Premiere Pro, After Effects, etc. which can be used for graphic design, video editing, photography and various other applications.

This vulnerability which allows an attacker to delete arbitrary files occurs due to a race condition i.e when two or more systems or processes access shared resources and intend to modify the data. The time-of-check to time-of-use race condition checks for the specified resources and at the same time uses the result from the resource check performed. If successfully exploited, an attacker can delete arbitrary files on the target system.

Adobe has released updates to fix this vulnerability. We strongly recommend installing these security updates as soon as possible.


Apple Security Updates Summary for March 2020 and Adobe Creative Cloud Out-of-Band Security Update:

macOS

    • Affected OS: macOS Catalina, Mojave and High Sierra
    • Affected features: HSSPI Support, AppleGraphicsControl, AppleMobileFileIntegrity, Bluetooth, Call History, CoreFoundation, FaceTime, Icons, Intel Graphics Driver, IOHIDFamily, IOThunderboltFamily, Kernel, libxml2, Mail, sudo, TCC, Time Machine, Vim
    • Impact: Information Disclosure, Privilege Escalation, arbitrary code execution, memory corruption
    • CVEs: CVE-2019-14615, CVE-2019-19232, CVE-2019-8853, CVE-2020-3851, CVE-2020-3881, CVE-2020-3883, CVE-2020-3884, CVE-2020-3889, CVE-2020-3892, CVE-2020-3893, CVE-2020-3903, CVE-2020-3904, CVE-2020-3905, CVE-2020-3906, CVE-2020-3907, CVE-2020-3908, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3912, CVE-2020-3913, CVE-2020-3914, CVE-2020-3919, CVE-2020-9769, CVE-2020-9773, CVE-2020-9776, CVE-2020-9785

Safari

  • Affected OS: macOS Mojave, macOS High Sierra, and macOS Catalina
  • Affected features: Safari Downloads, WebKit, WebKit Page Loading
  • Impact: Information Disclosure, Cross-Site scripting, Incorrect file URL processing, Arbitrary code execution
  • CVEs: CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-9783, CVE-2020-9784

iTunes

  • Affected OS: Windows 7 and later
  • Affected features: libxml2, WebKit, WebKit Page Loading
  • Impact: Incorrect file URL processing, Cross-Site scripting, Arbitrary code execution
  • CVEs: CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-9783

tvOS

  • Affected OS: Apple TV 4K and Apple TV HD
  • Affected features: ActionKit, AppleMobileFileIntegrity, Icons, Image Processing, IOHIDFamily, Kernel, libxml2, WebKit, WebKit Page Loading
  • Impact: Information Disclosure, Incorrect file URL processing, Arbitrary Code Execution, Privilege Escalation
  • CVEs: CVE-2020-3883, CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3914, CVE-2020-3917, CVE-2020-3919, CVE-2020-9768, CVE-2020-9773, CVE-2020-9783, CVE-2020-9785

watchOS

  • Affected OS: watchOS
  • Affected features: ActionKit, AppleMobileFileIntegrity, CoreFoundation, Icons, Image Processing, IOHIDFamily, Kernel, libxml2, Messages, WebKit
  • Impact: Arbitrary Code Execution, Privilege Escalation, Information Disclosure
  • CVEs: CVE-2020-3883, CVE-2020-3891, CVE-2020-3895, CVE-2020-3897, CVE-2020-3900, CVE-2020-3901, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3913, CVE-2020-3914, CVE-2020-3916, CVE-2020-3917, CVE-2020-3919, CVE-2020-9768, CVE-2020-9773, CVE-2020-9785

iOS and iPadOS

  • Affected OS: iOS and iPadOS
  • Affected features: ActionKit, Bluetooth, AppleMobileFileIntegrity, CoreFoundation, Icons, Image Processing, IOHIDFamily, Kernel, libxml2, Mail, Mail Attachments, Messages, Messages Composition, Safari, Web App, WebKit, WebKit Page Loading
  • Impact: Arbitrary Code Execution, Privilege Escalation, Information Disclosure
  • CVEs: CVE-2020-3883, CVE-2020-3885, CVE-2020-3887, CVE-2020-3888, CVE-2020-3890, CVE-2020-3891, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-3913, CVE-2020-3914, CVE-2020-3916, CVE-2020-3917, CVE-2020-3919, CVE-2020-9768, CVE-2020-9770, CVE-2020-9773, CVE-2020-9775, CVE-2020-9777, CVE-2020-9780, CVE-2020-9781, CVE-2020-9783, CVE-2020-9785

iCloud

  • Product: iCloud
  • Affected OS: Windows 7 and Windows 10
  • Affected features: libxml2, WebKit, WebKit Page Loading
  • Impact: Arbitrary Code Execution, Cross-Site scripting, Incorrect file URL processing
  • CVEs: CVE-2020-3885, CVE-2020-3887, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-3909, CVE-2020-3910, CVE-2020-3911, CVE-2020-9783

Adobe Creative Cloud

  • Product: Adobe Creative Cloud 5.0 and earlier versions
  • Affected OS : Windows
  • Impact: Arbitrary file deletion
  • CVEs: CVE-2020-3808

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.


Summary
Apple Security Updates March 2020 and Adobe Creative Cloud Critical Security Update
Article Name
Apple Security Updates March 2020 and Adobe Creative Cloud Critical Security Update
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *