Apple Fixes Passcode, Remote Code Execution Flaws in iOS and macOS

In what is likely to be the final Apple security update for 2018, macOS 10.14.2 and iOS 12.1.1 are now available, fixing multiple flaws across the desktop and mobile operating systems.

Apple update

Apple released a series of updates on Dec. 5 to its desktop and mobile operating systems, patching serious vulnerabilities that could have exposed users to risk.

Among the updates released by Apple are iOS 12.1.1, macOS Mojave 10.14.2 and Safari 12.0.2. The bugs fixed across the updates include privilege escalation, arbitrary code execution, memory corruption and denial-of-service flaws. In iOS 12.1.1, one of the most impactful issues patched is a passcode bypass one with the FaceTime conferencing application.

"A local attacker may be able to view contacts from the lock screen," Apple wrote in its advisory for the FaceTime vulnerability, which is also identified as CVE-2018-4430. "A lock screen issue allowed access to contacts on a locked device."

The CVE-2018-4430 flaw was discovered by security researcher Jose Rodriguez, who had actually posted a video of how the bypass works on Oct. 30.

"With the release of iOS 12.1 on October 30, Apple left NOT PROTECTED by passcode, easily accessible, YOUR CONTACT INFORMATION (your personal phone numbers, your email address, your pic) that your friends, family, mates, colleagues ... have about you in their iPhones," Rodriguez wrote in the video description.

Also of note in the iOS 12.1.1 update is CVE-2018-4446, a flaw in the File Provider capability that could have enabled unauthorized information disclosure.

"A malicious application may be able to learn information about the presence of other applications on the device," Apple warned in its advisory.

History Delete Flaw

Another interesting flaw patch by Apple is CVE-2018-4445 in Safari as well as in iOS. The flaw is such that users of Safari on both mobile and desktop operating systems were unable to fully delete browsing history.

"Clear History and Website Data did not clear the history," Apple warned. "The issue was addressed with improved data deletion."

macOS

On macOS, Apple fixed multiple arbitrary code execution and information disclosure issues. 

Among the issues are three in the Apple Kernel component (CVE-2018-4444, CVE-2018-4461 and CVE-2018-4435), one in IOHIDFamily (CVE-2018-4427) and one in Disk Images (CVE-2018-4465). The kernel has also been patched for a denial-of-service (DoS) issue identified as CVE-2018-4460 that was discovered by Kevin Backhouse of Semmle Security Research Team.

"An attacker in a privileged position may be able to perform a denial of service attack," Apple warned.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.