Apple Security Updates December 2019

  • Post author:
  • Reading time:8 mins read

Apple Security Updates December 2019


In the Apple Security Updates December 2019, Apple has rolled out security patches for various products. There are a total of 59 CVEs addressing arbitrary code execution, privilege escalation, information disclosure and denial of service vulnerabilities. Five vulnerabilities in macOS are considered very critical as they allow an attacker to execute arbitrary code with kernel privileges. A vulnerability management tool can stop this from happening.

A majority of the security bugs patched in this release were identified in macOS. Moreover, seven vulnerabilities in macOS could lead to arbitrary code execution, five of which allow arbitrary code execution with kernel privileges. These flaws exist due to out of bounds read and memory corruption issues. Also, the other vulnerabilities in macOS could allow an attacker to read restricted memory, elevate privileges and perform denial of service attacks. Patching these vulnerabilities using a patch management tool is essential.

In Apple Security Updates December 2019, three bugs were resolved in Safari, and all of them could be exploited to execute arbitrary code. However, an attacker could trick a user to visit a malicious website to exploit the underlying vulnerability. Additionally, three vulnerabilities in iCloud and iTunes also lead to arbitrary code execution. Two other flaws in iCloud and iTunes each, allow an attacker to elevate privileges on the target system and also gain access to user information by parsing a maliciously crafted XML file.

Recently, Google discovered an issue in the Intelligent Tracking Prevention (ITP) system included in Safari. Also, the webkit feature was enhanced to handle the loophole. But, no fixes related to this were included in the security updates.


Apple Security Updates Summary :

Apple Security Updates October 2019 has addressed vulnerabilities in the following products:


Product : macOS

  • Affected OS macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
  • Affected features : ATS, Bluetooth, CFNetwork Proxies, CUPS, CallKit, FaceTime, Kernel, OpenLDAP, Security, libexpat and then tcpdump
  • Impact : Arbitrary Code Execution, Privilege Escalation, Information Disclosure, Denial of Service
  • CVEs : CVE-2012-1164, CVE-2012-2668, CVE-2013-4449, CVE-2015-1545, CVE-2017-16808, CVE-2018-10103, CVE-2018-10105, CVE-2018-14461, CVE-2018-14462, CVE-2018-14463, CVE-2018-14464, CVE-2018-14465, CVE-2018-14466, CVE-2018-14467, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14879, CVE-2018-14880, CVE-2018-14881, CVE-2018-14882, CVE-2018-16227, CVE-2018-16228, CVE-2018-16229, CVE-2018-16230, CVE-2018-16300, CVE-2018-16301, CVE-2018-16451, CVE-2018-16452, CVE-2019-13057, CVE-2019-13565, CVE-2019-15161, CVE-2019-15162, CVE-2019-15163, CVE-2019-15164, CVE-2019-15165, CVE-2019-15166, CVE-2019-15167, CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8837, CVE-2019-8838, CVE-2019-8839, CVE-2019-8842, CVE-2019-8847, CVE-2019-8848, CVE-2019-8852, CVE-2019-8853 and then CVE-2019-8856

Product : iCloud for Windows

 

  • Affected OS : Windows
  • Affected features : CFNetwork Proxies and then WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846 and then CVE-2019-8848

  • Product : iTunes for Windows
  • Affected OS Windows
  • Affected features : CFNetwork Proxies and then WebKit, libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846 and then CVE-2019-8848

  • Product : Safari 13.0.4
  • Affected OS macOS Mojave and macOS High Sierra, and then included in macOS Catalina
  • Affected features : WebKit
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8835, CVE-2019-8844 and then CVE-2019-8846

  • Product : Xcode 11.3
  • Affected OS : macOS Mojave
  • Affected features : ld64
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8840

  • Product : watchOS 5.3.4
  • Affected OS : watchOS
  • Affected features : FaceTime
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8830

  • Product : watchOS 6.1.1
  • Affected OS watchOS
  • Affected features : CFNetwork Proxies, FaceTime, IOUSBDeviceFamily, Kernel, Security, WebKit and then libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8836, CVE-2019-8838, CVE-2019-8844, CVE-2019-8848 and then CVE-2019-8856

  • Product : tvOS 13.3
  • Affected OS : tvOS
  • Affected features : CFNetwork Proxies, FaceTime, IOUSBDeviceFamily, Kernel, Security, WebKit and then libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8835, CVE-2019-8836, CVE-2019-8838, CVE-2019-8844, CVE-2019-8846 and then CVE-2019-8848

  • Product : iOS 12.4.4
  • Affected OS :  iOS
  • Affected features : FaceTime
  • Impact : Arbitrary Code Execution
  • CVEs : CVE-2019-8830

  • Product : iOS 13.3 and iPadOS 13.3
  • Affected OS iOS and iPadOS
  • Affected features : CFNetwork Proxies, CallKit, FaceTime, IOSurfaceAccelerator, IOUSBDeviceFamily, Kernel, Photos, Security, WebKit and then libexpat
  • Impact : Arbitrary Code Execution, Elevation of Privilege, Information Disclosure
  • CVEs : CVE-2019-15903, CVE-2019-8828, CVE-2019-8830, CVE-2019-8832, CVE-2019-8833, CVE-2019-8835, CVE-2019-8836, CVE-2019-8838, CVE-2019-8841, CVE-2019-8844, CVE-2019-8846, CVE-2019-8848, CVE-2019-8856 and then CVE-2019-8857