In 8 days, Apple has released 4 iOS security bulletins. The first of them dedicated to the release date of iOS 13 – release, which eliminated nine vulnerabilities in the mobile OS. Three subsequent updates correct one error.The macOS operating systems (Mojave, High Sierra, Sierra) and watchOS received the same patch, though the only one. It closes the vulnerability CVE-2019-8641 (reading outside the buffer allocated in memory), which developers previously tried to get rid of in iOS. As it soon became clear, the patch they created (it was included in iOS 12.4) was incomplete, and it had to be further developed.
As a result, the problem was finally resolved only in iOS 13.
“The vulnerability is contained in the Foundation component (one of the frameworks for application development) and allows remotely cause a sudden program termination or execute arbitrary code. The Foundation object-oriented library is also used by macOS and watchOS; patches for them were released on September 26th”, – says the Apple Newsletter.
Read also: MageCart now attacks routers, not sites
It is noteworthy that public access to the contents of the iOS 13 security bulletin was opened around the same time, although the new OS itself was released a week earlier.
IOS 13.1 update appeared on September 24; it closes the possibility of bypassing the screen lock (CVE-2019-8775), which became public several days before the release of iOS 13. The author of the find reported it to Apple in mid-July and, not waiting for the patch, decided to publish. It is worth noting that iOS 13.1 is a cumulative update, that is, it contains all the patches from the iOS 13 package.
A few days later, Apple released the iOS 12.4.2 update and patched Foundation for this branch. Those users who can’t switch to iOS 13, for example, owners of the iPhone 5s, iPhone 6, iPad mini 2 and 3, iPod touch of the sixth generation, can use it.
On Friday, September 27, iOS 13.1.1 was released; according to the bulletin, it corrects the work of the sandbox. It corrects a logical error, because of which third-party applications could gain access to resources closed to them. Apple developers discovered a vulnerability and registered it under the identifier CVE-2019-8779.
“In less than two weeks, Apple has released three updates with corrections and it is highly likely that it is too early to put a point, given user complaints. The release of iOS 13 is super-lousy, which has not happened since iOS 8”, – said one of the developers.
As for 13.1.2, list of corrections can be seen below.
Fixed the problems leading to malfunctions of the camera, an error due to which the flash sometimes does not turn on, a bug that leads to loss of screen calibration data, and and error with sudden loss of Bluetooth connection and a few other minor bugs.
At the same time, the iPadOS 13.1.2 update for iPad tablets was released, but there the list of fixes is more modest. In particular, the problem with the progress bar of data backup and the “Siri Quick Commands” that did not start from the Smart HomePod column was resolved.