- iOS 12.2 patches some severe remote execution, stealthy microphone access, and memory corruption flaws.
- Most security vulnerabilities concern the system’s kernel and the WebKit browser engine, which opens up a vast attack surface.
- No technical details have been disclosed yet, as users need to stay protected until they get the chance to update.
If you have not updated your Apple device to iOS version 12.2, you should do so immediately, as the latest patch plugs 51 vulnerabilities that you wouldn’t want to live with. The devices that can be potentially impacted by the security flaws are all iPhones from 5S and later, the 6th generation of the iPod, the iPad Air and more recent models, and the Apple TV 4K and HD version. The platter of fixes includes DoS attack prevention, the remedy of privilege escalation issues, plugging of remote arbitrary code execution, and the rectification of bugs that allowed the privilege escalation to root privileges and all the mischievous actions that can come with it.
Out of the total of 51 vulnerabilities, 19 concern WebKit problems that place users in the risk of visiting a website that features a malicious script that can lead to arbitrary code execution. Most of these scripts are made to steal information that is stored in the browser, such as login credentials, payment details, etc. All issues of this type have been addressed by improving the restrictions, fixing the access policy, and adding sandbox restrictions in SMS links.
Another six fixes concern the kernel of the operating system, which was previously vulnerable to remote memory corruption attacks, leading to the elevation of privileges and the reading of the memory layout. Out-of-bounds reading has been addressed through input validation, the capacity for buffer overflow was fixed with proper size validation, and the memory corruption is now prevented through the implementation of an improved memory handling system.
Among the rest, there’s an interesting fix of a microphone API issue that could allow a malicious application to gain access to the microphone without the user realizing the fact, and without asking for any validation. This step has been added now, so the vulnerability is no longer exploitable. A similar action of accessing the microphone could also be routed through a website, leveraging a WebKit security flaw, with the microphone use indicator not being displayed at all.
As the flaws were reported and fixed by various security researchers and not just Apple’s internal team, and since the patch has only just recently been released, it will take a while before we get to see any proof of concept code or more in-depth technical details for the above. Until then, get patchin’ and stay safe.
Have you updated to iOS 12.2 yet? How did it go? Share your experience in the comments section below, and don’t forget to like and subscribe on our socials, on Facebook and Twitter.