Apple released a set of Apple security updates July 2019 to address vulnerabilities in its various products. About 49 vulnerabilities were identified and fixed by Apple in these security updates. Out of the 49, 44 CVEs were relevant to MacOS, while 23 CVEs were reported for iCloud, Safari, and iTunes each. And 29 flaws are considered severe and could be exploited to execute arbitrary code.
22 out of the 44 flaws reported for MacOS were present in the WebKit component alone. There were 26 memory corruption flaws in macOS which allow arbitrary code execution. CVE-2019-8694 in the IOAcceleratorFamily affecting only MacOS is considered critical as it can lead to arbitrary code execution with kernel privileges. There are no reports of these vulnerabilities exploited in the wild.
These are the arbitrary code execution flaws which are considered severe and administrators are advised to install the updates for these vulnerabilities at the earliest:
CVE-2018-19860, CVE-2019-8641, CVE-2019-8644, CVE-2019-8647, CVE-2019-8648, CVE-2019-8657, CVE-2019-8660, CVE-2019-8661, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8694, CVE-2019-8695, CVE-2019-8697
Apple released silent updates earlier this month to protect its customers from the Zoom zero-day. Apple Safari was updated recently to not open up third party applications without confirmation from the user. Zoom had a web server functionality to get around Safari’s security feature to provide a seamless experience to its users. This web server functionality allowed malicious websites with an iframe to launch a video call on Mac with the camera on. Apple’s silent updates helped in disabling the web server installed by Zoom. This update was particularly helpful to those users who had uninstalled Zoom but the webserver was still server running on the machines making them vulnerable. This update does not need user interaction and is deployed automatically.
Apple Security Updates Summary :
Apple Security Updates July 2019 has addressed vulnerabilities in the following products:
- Product : MacOS
- Affected OS : macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
- Affected features : AppleGraphicsControl, autofs, Bluetooth, Carbon Core, Core Data, Disk Management, FaceTime, Foundation, Grapher, Graphics Drivers, Heimdal, IOAcceleratorFamily, libxslt, Quick Look, Safari, Security, Siri, Time Machine, UIFoundation, WebKit, Found in Apps
- Impact : Arbitrary code execution, Information disclosure, Denial of Service, Address bar spoofing, Deserialization of untrusted data, Universal cross site scripting, Gatekeeper bypass
- CVEs: CVE-2019-8693, CVE-2019-8656, CVE-2018-19860, CVE-2019-8661, CVE-2019-8646, CVE-2019-8660, CVE-2019-8697, CVE-2019-8648, CVE-2019-8663, CVE-2019-8641, CVE-2019-8695, CVE-2019-8691, CVE-2019-8692, CVE-2018-16860, CVE-2019-8694, CVE-2019-13118, CVE-2019-8662, CVE-2019-8670, CVE-2019-8697, CVE-2019-8646, CVE-2019-8667, CVE-2019-8657, CVE-2019-8690, CVE-2019-8649, CVE-2019-8658, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689
- Product : Safari 12.1.2
- Affected OS : macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6
- Affected features : Safari, WebKit
- Impact : Address bar spoofing, Universal cross site scripting, Arbitrary code execution
- CVEs : CVE-2019-8670, CVE-2019-8658, CVE-2019-8690, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8649
- Product : iTunes 12.9.6
- Affected OS : Windows 7 and later
- Affected features : libxslt, WebKit
- Impact : Universal cross site scripting, Arbitrary code execution, Information disclosure
- CVEs : CVE-2019-13118, CVE-2019-8658, CVE-2019-8690, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8649
- Product : iCloud for Windows 10.6
- Affected OS : Windows 10 and later
- Affected features : libxslt, WebKit
- Impact : Universal cross site scripting, Arbitrary code execution, Information disclosure
- CVEs : CVE-2019-13118, CVE-2019-8658, CVE-2019-8690, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8649
- Product : iCloud for Windows 7.13
- Affected OS : Windows 7 and later
- Affected features : libxslt, WebKit
- Impact : Universal cross site scripting, Arbitrary code execution, Information disclosure
- CVEs : CVE-2019-13118, CVE-2019-8658, CVE-2019-8690, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8649
- Product : iOS
- Affected OS : iOS 12.4
- Affected features : Core Data, FaceTime, Foundation, Heimdal, libxslt, Messages, Profiles, Quick Look, Siri, Telephony, UIFoundation, Wallet, WebKit, Found in Apps
- Impact : Arbitrary code execution, Information disclosure, Denial of Service, Address bar spoofing, Deserialization of untrusted data, Universal cross site scripting
- CVEs : CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, CVE-2019-8648, CVE-2019-8663, CVE-2019-8641, CVE-2018-16860, CVE-2019-13118, CVE-2019-8665, CVE-2019-8698, CVE-2019-8662, CVE-2019-8646, CVE-2019-8699, CVE-2019-8657, CVE-2019-8682, CVE-2019-8690, CVE-2019-8649, CVE-2019-8658, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689
- Product : tvOS 12.4
- Affected OS : Apple TV 4K and Apple TV HD
- Affected features : Core Data, Foundation, Heimdal, Profiles, Quick Look, Siri, UIFoundation, WebKit, libxslt
- Impact : Arbitrary code execution, Information disclosure, Denial of Service, Universal cross site scripting
- CVEs : CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, CVE-2019-8641, CVE-2018-16860, CVE-2019-13118, CVE-2019-8698, CVE-2019-8662, CVE-2019-8646, CVE-2019-8657, CVE-2019-8690, CVE-2019-8649, CVE-2019-8658, CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689
- Product : watchOS
- Affected OS : watchOS 5.3
- Affected features : Core Data, Digital Touch, FaceTime, Foundation, Heimdal, Messages, Quick Look, Siri, UIFoundation, Wallet, WebKit, libxslt
- Impact : Arbitrary code execution, Information disclosure, Denial of Service, Universal cross site scripting
- CVEs : CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, CVE-2019-8624, CVE-2019-8648, CVE-2019-8641, CVE-2018-16860, CVE-2019-13118, CVE-2019-8659, CVE-2019-8665, CVE-2019-8662, CVE-2019-8646, CVE-2019-8657, CVE-2019-8682, CVE-2019-8658, CVE-2019-8669, CVE-2019-8672, CVE-2019-8676, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8688, CVE-2019-8689
Also after using the security update, I face some security problem on my safari browser on my iOS. It takes a huge time to load a page. and sometimes I found that cookies hold my Gmail passwords. Then by following a website, I come to know that by clearing cache this issue can figure out.