Apple has released a set of Apple Security Updates September 2019 to address the vulnerabilities in its products. There are a total of 5 CVEs. The affected products are MacOS, Safari, tvOS, iOS and WatchOS.
CVE-2019-8641 is considered critical and is classified as out-of-bounds read (CWE-125), where an attacker can read data past the end, or before the beginning of the intended buffer. This allows an attacker to execute arbitrary code or cause unexpected system termination. CVE-2019-8641 was discovered by researchers from Google Project Zero in July 2019. Details about this bug were not disclosed as the researchers believed the patch issued by Apple in July did not handle the vulnerability completely.
Apple has now released a second Supplemental Update for macOS Mojave with security updates for High Sierra and Sierra too. This flaw has been handled with improved input validation.
The vulnerabilities in Safari (CVE-2019-8654 and CVE-2019-8725) lead to user interface spoofing and disclosure of private browsing history. An attacker can impersonate a user by tricking him to visit a malicious website.
We request users to exercise caution before clicking on links. We strongly recommend system administrators to keep their systems up-to-date with the latest patches.
Apple Security Updates Summary :
Apple Security Updates September 2019 has addressed vulnerabilities in the following products:
- Product : MacOS
- Affected OS : macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.6
- Affected features : Foundation
- Impact : Arbitrary Code Execution, Denial of Service
- CVEs : CVE-2019-8641
- Product : Safari 13.0.1
- Affected OS : macOS Mojave 10.14.6, macOS High Sierra 10.13.6
- Affected features : Safari, Service Workers
- Impact : Spoofing, Information Disclosure
- CVEs : CVE-2019-8654, CVE-2019-8725
- Product : tvOS 13
- Affected OS : Apple TV 4K and Apple TV HD
- Affected features : Keyboards
- Impact : Information Disclosure
- CVEs : CVE-2019-8704
- Product : iOS 12.4.2
- Affected OS : iOS
- Affected features : Foundation
- Impact : Arbitrary Code Execution, Denial of Service
- CVEs : CVE-2019-8641
- Product : iOS 13.1 and iPadOS 13.1
- Affected OS : iOS and iPadOS
- Affected features : Foundation
- Impact : Arbitrary Code Execution, Denial of Service
- CVEs : CVE-2019-8641
- Product : watchOS 5.3.2
- Affected OS : watchOS
- Affected features : Foundation
- Impact : Arbitrary Code Execution, Denial of Service
- CVEs : CVE-2019-8641