Apple also addressed a memory corruption issue (CVE-2020-3895, CVE-2020-3900), and a memory consumption issue (CVE-2020-3899) that could could enable attackers to launch code execution attacks.įinally, the tech giant also fixed an input validation bug in WebKit (CVE-2020-3902) that could allow attackers to launch a cross-site scripting attack. This flaw could be exploited if an attacker persuades a victim to process maliciously crafted web content, according to Apple. The issue “was addressed with improved memory handling,” according to Apple.Īnother type confusion issue (CVE-2020-3901) was found in WebKit, that could lead to arbitrary code execution. An attacker can leverage this vulnerability to execute code in the context of the current process.” By performing actions in JavaScript, an attacker can trigger a type confusion condition. “The specific flaw exists within the object transition cache. “This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari,” Dustin Childs, manager with Zero Day Initiative, told Threatpost. This specific flaw could be abused by a remote attacker – but user interaction is required to exploit the vulnerability in that the target must visit a malicious page or open a malicious file. Type confusion flaws are caused when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking.
The most severe of these vulnerabilities is a type confusion bug (CVE-2020-3897) in WebKit. While Apple typically is initially tight lipped when it comes to vulnerability details in security updates, it did outline eight flaws that were fixed in Apple’s WebKit browser engine, which could enable anything from cross-site scripting (XSS) attacks to remote code execution in iOS and Safari.
Apple experimental webkit features update#
Users for their part are urged to update to iOS 13.4, Safari 13.1 and macOS Catalina 10.15.3. Of the CVEs disclosed, 30 affected Apple’s iOS, 11 impacted Safari and 27 affected macOS. The most serious flaw in this latest security update, released Tuesday, exists in the WebKit and could enable remote code execution. Apple has released a slew of patches across its iOS and macOS operating systems, Safari browser, watchOS, tvOS and iTunes.
0 kommentar(er)
