View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 29, 2020updated 30 Jan 2020 8:08am

Google Continues to Prod Holes in Apple’s Security

One vulnerability "could allow attackers nearby to remote control any Mac systems with zero interaction.”

By CBR Staff Writer

Apple has released a wide range critical security updates for several versions of its operating systems – and it can thank Google for over a third of them.

Among the 32 CVEs, Apple itself is only credited with discovering one. Google’s Project Zero team reported 11 to its mobile rival, the patch notes show.

China’s 360 Alpha team was also credited with numerous finds.

Also thanked for responsible disclosure of one vulnerability: Corellium, which Apple is suing for copyright infringement over its virtual iOS software, which remains popular with jail breakers and others interested in reverse engineering iOs.

The news comes after Google’s Threat Analysis Group in August 2019 identified “five separate, complete and unique” iPhone exploit chains” that were being used to target China’s Uyghur minority, according to later reports.

See also: Apple, Uyghurs and your Mobile Security: A Google Report Reverberates

Many of the Apple CVEs being patched this week allowed attackers to gain some serious control over devices, from executing arbitrary code with system privileges, to unexpected system termination powers.

One of the 11 Apple security vulnerabilities discovered by Google’s Project Zero is CVE-2020-3842 which affects the macOS’ High Sierra, Mojave and Catalina. If exploited this vulnerability allowed an attacker to execute arbitrary code with kernel privileges. A Apple fixed a memory corruption issue to address the bug.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Apple CVEs: Lots of Bluetooth Bugs

Other critical issues discovered by Google include a memory corruption issue that cause the OS to execute code after viewing a maliciously crafted JPEG file.

Another let applications read restricted memory, while one lets applications arbitrary execute code with system privileges.

The one vulnerability discovered by Apple – CVE-2019-18634 – abused a buffer overflow issue allowing hackers to set configurations that would enable arbitrary code execution.

Apple have released patches for the vulnerabilities released this week and warn that: “Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.”

Instructions on how to update macOS can be found here.

Five of the vulnerabilities patched this week were discovered by Chinese security firm Qihoo 360 and its Alpha Lab. Four of these affected the core Bluetooth functionality within certain Apple products allowing an attacker to remotely terminate applications or more worryingly, remotely execute code.

The CSTO of Qihoo360 notes on Twitter that the vulnerability: “Could allow attackers nearby to remote control any Mac systems with zero interaction.”

Apple says that it has fixed a memory corruption (again) issue that was allowing remote access and an update has been rolled out for macOS High Sierra 10.13.6, macOS Mojave 10.14.6.

Dayton Pidhirney who found an a zero day that let applications execute arbitrary code with system privileges, took to Twitter last month to comment on the sheer amount of vulnerabilities he is sitting on and the work that is need to report them;

See Also: AMD’s CEO: Wafer Supply is Tight Going into 2020

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU