Apple Releases iOS 14 Security Changelog | #exploits | #vulnverabilities


Apple has just released its latest iOS 14.0 and iPadOS 14.0 for supported iPhone and iPad models. While there are tons of other reasons to make the upgrade, the iPhone maker has also fixed quite a few critical security flaws with today’s releases.

Apple doesn’t like to tag its security bugs with severity ratings, but take one look at the bugs below and you will know how serious they can turn out to be. From attackers being able to download malicious content to apps being able to see what other apps you have installed on your device, Apple has fixed some critical vulnerabilities with its latest release.

AppleAVD

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9958: Mohamed Ghannam (@_simo36)

Assets

Impact: An attacker may be able to misuse a trust relationship to download malicious content

Description: A trust issue was addressed by removing a legacy API.

CVE-2020-9979: CodeColorist of Ant-Financial LightYear Labs

Icons

Impact: A malicious application may be able to identify what other applications a user has installed

Description: The issue was addressed with improved handling of icon caches.

CVE-2020-9773: Chilik Tamir of Zimperium zLabs

IDE Device Support

Impact: An attacker in a privileged network position may be able to execute arbitrary code on a paired device during a debug session over the network

Description: This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7.

CVE-2020-9992: Dany Lisiansky (@DanyL931), Nikias Bassen

IOSurfaceAccelerator

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-9964: Mohamed Ghannam (@_simo36), Tommy Muir (@Muirey03)

Keyboard

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany

Model I/O

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9973: Aleksandar Nikolic of Cisco Talos

Phone

Impact: The screen lock may not engage after the specified time period

Description: This issue was addressed with improved checks.

CVE-2020-9946: Daniel Larsson of iolight AB

Sandbox

Impact: A malicious application may be able to access restricted files

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9968: Adam Chester(@xpn) of TrustedSec

Siri

Impact: A person with physical access to an iOS device may be able to view notification contents from the lockscreen

Description: A lock screen issue allowed access to messages on a locked device. This issue was addressed with improved state management.

CVE-2020-9959: an anonymous researcher, an anonymous researcher, an anonymous researcher, an anonymous researcher, an anonymous researcher, Andrew Goldberg The University of Texas at Austin, McCombs School of Business, Meli̇h Kerem Güneş of Li̇v College, Sinan Gulguler

WebKit

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)





Click here for the original Source.

_________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply