Apple Just Fixed These 20 Security Vulnerabilities in IOS 18.2

Posted on by

When Apple released iOS 18.2 today , headlines largely focused on the big changes, including new Apple Intelligence features like Image Playground and Genmoji . But the quiet side of any Apple software release involves security patches. iOS 18.2 is no exception, with the company releasing 20 fixes for security flaws affecting iPhones running iOS 18.1.1 and older. While none of them are currently in active use, they highlight the importance of keeping your device up to date as soon as possible.

Apple has fixed issues with call muting, lock screen privacy, and malicious processing

As I scrolled through the list of fixes, a few stood out to me. The first is a fix for an audio bug where muting during a call could mean the mute feature has failed. It goes without saying that you should be able to trust the mute button during a call, so any issue that can cause this mute button to fail is a cause for concern. Luckily, Apple says it has fixed the “inconsistent user experience” to resolve this issue. Another troubling flaw concerns VoiceOver: a flaw in its screen reader feature could allow an attacker to read your lock screen notifications, although these notifications would typically be hidden until your iPhone is unlocked.

There are also a number of fixes that prevent malicious apps, images, files and web content from harming your device. For example, the AppleMobileFileIntegrity vulnerability allows a malicious application to access your personal information, while the SceneKit vulnerability allows a malicious file to cause a denial of service that could lock out an authorized user from the device.

The good news is that no one appears to be in active danger of being attacked using any of these flaws: Apple hasn’t reported that any of them have been actively exploited, which suggests that attackers are either unaware of these flaws. or are unaware of these shortcomings. know how to use them. However, now that these flaws have been exposed, it’s only a matter of time before attackers figure out how to take advantage of them, so updating your iPhone as soon as possible is still a smart move.

You can see the full list of shortcomings below:

  1. AppleMobileFileIntegrity (CVE-2024-54526): A malicious application may have access to private information. This issue has been resolved with improved checks.

  2. AppleMobileFileIntegrity (CVE-2024-54527): The application may have access to sensitive user data. This issue has been resolved with improved checks.

  3. Audio (CVE-2024-54503): Muting audio during a call may not unmute audio. An inconsistent UI issue has been addressed with improved state management.

  4. Crash Reporter (CVE-2024-54513): The application may have access to sensitive user data. The permitting issue was resolved by introducing additional restrictions.

  5. FontParser (CVE-2024-54486): Parsing a malicious font may lead to process memory disclosure. This issue has been resolved with improved checks.

  6. ImageIO (CVE-2024-54500): Processing a malicious image may lead to process memory disclosure. This issue has been resolved with improved checks.

  7. Kernel (CVE-2024-54494): An attacker could create a read-only memory map that can be written to. The race condition was resolved with additional checking.

  8. Kernel (CVE-2024-54510): An application may transmit sensitive kernel state information. The race condition was resolved with improved blocking.

  9. Kernel (CVE-2024-44245): An application may cause an unexpected system termination or kernel memory corruption. The issue was addressed with improved memory handling.

  10. libexpat (CVE-2024-45490): A remote attacker could cause the application to terminate unexpectedly or execute arbitrary code. This is an open source vulnerability and Apple Software is among the affected projects.

  11. libxpc (CVE-2024-54514): The application may escape the sandbox. This issue has been resolved with improved checks.

  12. libxpc (CVE-2024-44225): An application may gain elevated privileges. A logic issue has been addressed with improved checks.

  13. Passwords (CVE-2024-54492). An attacker with a privileged position in the network can modify network traffic. The issue was resolved by using HTTPS when sending information over the network.

  14. Safari (CVE-2024-44246): On a device with Private Relay enabled, adding a website to Safari’s reading list may reveal the website’s originating IP address. This issue has been addressed with improved routing of requests originating from Safari.

  15. SceneKit (CVE-2024-54501): Processing a malicious file may lead to a denial of service. This issue has been resolved with improved checks.

  16. VoiceOver (CVE-2024-54485): An attacker with physical access to an iOS device could view notification content from the lock screen. The problem was resolved by adding additional logic.

  17. WebKit (CVE-2024-54479/CVE-2024-54502): Processing malicious web content may cause the process to crash unexpectedly. This issue has been resolved with improved checks.

  18. WebKit (CVE-2024-54508): Processing malicious web content may cause the process to crash unexpectedly. The issue was addressed with improved memory handling.

  19. WebKit (CVE-2024-54505): Processing malicious web content may lead to memory corruption. The type confusion issue has been addressed with improved memory handling.

  20. WebKit (CVE-2024-54534): Processing malicious web content may lead to memory corruption. The issue was addressed with improved memory handling.

Apple also released security updates foriPadOS ,macOS Sequoia ,macOS Sonoma ,macOS Ventura ,watchOS ,tvOS , andVisionOS . If you have any of these devices, you should also update them as soon as possible.

More…

0
Apple

Leave a Reply