Apple Fixes Critical WebKit Flaws in iOS, Safari
Apple released a number of patches to its various operating systems. The most critical flaw fixed exists in WebKit and could enable remote code execution. The patch fixes 30 flaws Apple's iOS, 11 in Safari and 27 in macOS. Users are urged to update to iOS 13.4, Safari 13.1 and macOS Catalina 10.15.3. Apple outline eight flaws that were fixed in Apple's WebKit browser engine, which could enable anything from cross-site scripting attacks to remote code execution in iOS and Safari.
The most severe of the vulnerabilities is a type confusion bug, CVE-2020-3897, in WebKit. Type confusion flaws are caused because a piece of code doesn't verify the type of object that is passed to it, and uses it blindly without type checking. The flaw could be abused by a remote hacker but user interaction is required to exploit the vulnerability. The vulnerability allows remote hackers to execute arbitrary code on affected installations of Apple Safari
Another type confusion issue, CVE-2020-3901, was found in WebKit, which could lead to arbitrary code execution. This flaw could be exploited if attackers tricks a victim to process maliciously crafted web content. Apple also addressed a memory corruption issue (CVE-2020-3895, CVE-2020-3900), and a memory consumption issue (CVE-2020-3899) that could could enable hackers to launch code execution attacks. The patch also fixed an input validation bug in WebKit that could allow hackers to launch a cross-site scripting attack. The hackers first need to trick victims to process maliciously crafted web content.
Affected devices include iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation. The flaws also affect macOS Mojave, macOS High Sierra, and macOS Catalina. Users are strongly urged to update their devices and computers.