Apple released a set of Apple security updates October 2019 for its products this month. There are a total of 24 CVEs which includes the first set of updates for Apple’s new macOS Catalina. Using a vulnerability scanning tool, we can detect these CVE’s.
MacOS Catalina, the latest version of Apple’s desktop operating system was released on October 7. Catalina comes with updated security features to protect the core operating system. MacOS runs in a read-only volume with Catalina, which prevents third-party applications from writing to sensitive parts of the system. With the coming of the new OS, Apple has also withdrawn support for 32-bit applications and the era of Apple iTunes has reached an end. A patch management solution can provide patches for the vulnerabilities.
6 out of 16 vulnerabilities in MacOS Catalina lead to Arbitrary Code Execution. Three vulnerabilities affecting Catalina are considered critical as they allow an attacker to execute arbitrary code with kernel privileges due to memory corruption issues in various components. Catalina was also affected by two browser related issues in the ‘Webkit’ component. While one bug exposed the user’s browsing history, the other bug did not delete the history with ‘Clear History and Website Data’.
Eight vulnerabilities were addressed in Apple iCloud. Six out of eight vulnerabilities lead to Arbitrary Code Execution. Two other vulnerabilities allow an attacker who processes maliciously crafted web content to conduct universal cross site scripting attacks. Also, Apple iTunes received 9 fixes with 7 CVEs addressing arbitrary code execution and 2 CVEs addressing cross site scripting vulnerabilities.
Apple Security Updates Summary :
Apple Security Updates October 2019 has addressed vulnerabilities in the following products:
- Product : macOS Catalina 10.15
- Affected OS : macOS
- Affected features : AMD, CoreAudio, Crash Reporter, IOGraphics, Intel Graphics Driver, Kernel , Notes, PDFKit, SharedFileList, UIFoundation, WebKit, apache_mod_php, sips
- Impact : Arbitrary Code Execution, Denial of Service, Information Disclosure
- CVEs : CVE-2019-11041, CVE-2019-11042, CVE-2019-8701, CVE-2019-8705, CVE-2019-8717, CVE-2019-8730, CVE-2019-8745, CVE-2019-8748, CVE-2019-8755, CVE-2019-8757, CVE-2019-8758, CVE-2019-8768, CVE-2019-8769, CVE-2019-8770, CVE-2019-8772, CVE-2019-8781
- Product : iCloud for Windows 10.7
- Affected OS : Windows 10
- Affected features : UIFoundation, WebKit
- Impact : Arbitrary Code Execution, Universal Cross Site Scripting
- CVEs : CVE-2019-8625, CVE-2019-8707, CVE-2019-8719, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8745, CVE-2019-8763
- Product : iCloud for Windows 7.14
- Affected OS : Windows 7
- Affected features : UIFoundation, WebKit
- Impact : Arbitrary Code Execution, Universal Cross Site Scripting
- CVEs : CVE-2019-8625, CVE-2019-8707, CVE-2019-8719, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8745, CVE-2019-8763
- Product : iTunes 12.10.1 for Windows
- Affected OS : Windows 7
- Affected features : UIFoundation, WebKit
- Impact : Arbitrary Code Execution, Universal Cross Site Scripting
- CVEs : CVE-2019-8625, CVE-2019-8707, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8745, CVE-2019-8763