Apple iOS 12 security update tackles Safari spoofing, data leaks, kernel memory flaws

The iPad and iPhone maker's iOS 12 launch is accompanied by a slew of security updates for various products.

Apple's anticipated OS update for mobile devices, iOS 12, is now out and available for download and is accompanied by security patches that resolve a range of vulnerabilities.

The Cupertino, Calif.-based firm issued a security advisory on Monday describing the security changes.

Apple does not "disclose, discuss, or confirm security issues" until investigations have concluded into alleged security problems and fixes have been issued. Below are security problems that have confirmed as genuine and patches have both been developed and released.

Read on: iOS 12 for iPhone, iPad, and iPod touch is out, but should you install it? | iOS 12 features you should try today | iPhone XR outshines XS value for upgraders

The latest mobile OS update, iOS 12, focuses on improving stability and reliability. When it comes to security, the update includes a variety of useful features, including intelligent tracking improvements, suppressed ad retargeting, and the automatic suggestion of strong passwords.

TechRepublic: How Apple failed business pros with the iPhone XS

However, Apple has also resolved a range of security flaws in the mobile iOS operating system, including:

  • Accounts: CVE-2018-4322 is a vulnerability which enables local apps to read a persistent account identifier.
  • Bluetooth: According to Apple, an input validation error, CVE-2018-5383, existed in the implementation of the communications protocol which could allow privileged attackers to intercept Bluetooth traffic. A memory corruption issue, CVE-2018-4330, has also been resolved in the iOS 12 update. If exploited, the vulnerability permitted attackers to execute arbitrary code.
  • CoreMedia: Reported anonymously, CVE-2018-4356 was a permission issue in Apple's mobile operating system which permitted rogue apps to "learn information about the current camera view before being granted camera access."
  • Wi-Fi: A validation issue, CVE-2018-4338, permitted attackers to use malicious apps to read restricted memory.
  • Kernel: A serious issue in the iOS kernel, CVE-2018-4363 -- reported by Google Project Zero -- was an input validation issue which could also allow applications to read restricted memory.
  • Messages: A severe vulnerability affected Apple's Messages communication platform. The consistency issue, found in the handling of application snapshots, could permit local attackers to discover a user's deleted messages.

Apple also resolved a validation flaw in the IOMobileFrameBuffer, and a password spoofing bug -- CVE-2018-4305 -- in the iTunes Store, as well as a vulnerability which could be exploited to recover deleted content from Notes.

In addition, the iPad and iPhone maker has tackled an encryption problem, CVE-2016-1777, which has been caused by weaknesses in the RC4 cryptographic algorithm. In order to resolve the bug, Apple simply removed the protocol.

The Safari browser has also been updated. The set of security problems resolved include vulnerabilities which could be used to exfiltrate data on user browsing history, the theft of auto filled data by the browser, and malicious address bar spoofing.

The bugs have been assigned as CVE-2018-4307, CVE-2018-4329, and CVE-2018-4195.

See also: How Apple Watch saved my life

TvOS has also been updated to version 12. Apple's security update includes a vulnerability which can also be used to intercept Bluetooth-based traffic in Apple TV, and the resolution of the same iTunes Store, kernel, Safari, and RC4 encryption weaknesses which impacted the Apple ecosystem.

A round of fixes has also been released in the latest firmware update of watchOS, which is version 5. The Safari browser problems, encryption protocol failure, kernel restricted memory issue, and iTunes Store spoofing error all affected the Apple watchOS system but have now been resolved.

CNET: We're finally getting the smartwatches we wanted five years ago

Apple product users are recommended to update their firmware to the latest version available to protect themselves from compromise. Instructions for updating your operating system can be found here: iOS 12, macOS, tvOS, and watchOS.

Previous and related coverage

Thumbnail credit: James Martin/CNET