Apple has issued its January security updates fixing a list of mostly shared CVE flaws affecting iOS and macOS with a smattering for Safari, watchOS, tvOS, and iCloud for Windows.
iOS v12.1.3
This latest version fixes a sizable list of CVEs for the iPhone 5s and later, and the iPad and iPod Touch 6th Generation. Almost all were reported to Apple by external researchers.
Among the interesting ones is CVE-2019-6200, a remote code execution (RCE) Bluetooth flaw, and CVE-2019-6224, another RCE an attacker might exploit through FaceTime.
Fixes for the WebKit browser engine make up another nine CVEs, including CVE-2019-6229 which might allow cross-site scripting through a malicious web page.
Kernel-level flaws account for six CVEs, all of which would allow an attacker able to sneak a malicious app past Apple to elevate privileges, break out of the sandbox, or execute malicious code.
The update should appear without intervention or you can check manually by clicking Settings > General > Software Update.
macOS v10.14.3 Mojave
Also known as Security Update 2019-001 for Sierra and High Sierra, most of the CVEs mentioned in the iOS v12.1.3 update appear here too, including those for BlueTooth, FaceTime, WebRTC, CoreAnimation, SQLite, IOKit, and those affecting the kernel.
Those specific to macOS Sierra/High Sierra are CVE-2018-4452, an RCE weakness affecting the Intel Graphics Driver, and CVE-2018-4467, which might allow a privilege elevation issue affecting the OS’s hypervisor.
Affecting all versions is CVE-2019-6220, an out-of-bounds flaw in QuartzCore that could allow an attacker to read restricted memory.
Updating can be initiated through System Preferences > Software Update. If you haven’t clicked the box marked, Automatically keep my Mac up to date it might be a good idea to do that now.
Finally, Apple update wouldn’t be complete without something for Safari, which gets CVE-2019-6228, fixing a cross-site scripting vulnerability with better URL validation in the browser’s Reader.
Updates are also available for iCloud for Windows (v7.10), watchOS (v5.1.3), and tvOS (v12.1.2).
Ksuvi Khor
As a counterpoint to the security concerns which are resolved by the iOS 12.1.3 release, please note that there have been some fairly widespread reports of this update causing issues with cellular data service.
[url redacted]
Mahhn
It fixes the iphone spell check bug in Safari!!! (only took 6+ months) Now if they would only make the good keyboard an option again. (landscape with more keys than current)
Paul Ducklin
Those forward-and-back arrows were soooo useful!
I guess Apple’s telemetry showed that the arrows were rarely used – so if typing errors increased in the time the keyboard was more cramped I guess you and I have to take one for the team.
Mahhn
if it wasn’t for having multiple keyboards available on the Iplaystoreapaloosa I could accept that. I’ve wondered if there was an exploit using the keys, and it was just easier removing the keys than fixing the exploit….