Apple has released a wide range critical security updates for several versions of its operating systems – and it can thank Google for over a third of them.
Among the 32 CVEs, Apple itself is only credited with discovering one. Google’s Project Zero team reported 11 to its mobile rival, the patch notes show.
China’s 360 Alpha team was also credited with numerous finds.
Also thanked for responsible disclosure of one vulnerability: Corellium, which Apple is suing for copyright infringement over its virtual iOS software, which remains popular with jail breakers and others interested in reverse engineering iOs.
The news comes after Google’s Threat Analysis Group in August 2019 identified “five separate, complete and unique” iPhone exploit chains” that were being used to target China’s Uyghur minority, according to later reports.
Many of the Apple CVEs being patched this week allowed attackers to gain some serious control over devices, from executing arbitrary code with system privileges, to unexpected system termination powers.
One of the 11 Apple security vulnerabilities discovered by Google’s Project Zero is CVE-2020-3842 which affects the macOS’ High Sierra, Mojave and Catalina. If exploited this vulnerability allowed an attacker to execute arbitrary code with kernel privileges. A Apple fixed a memory corruption issue to address the bug.
Apple CVEs: Lots of Bluetooth Bugs
Other critical issues discovered by Google include a memory corruption issue that cause the OS to execute code after viewing a maliciously crafted JPEG file.
Another let applications read restricted memory, while one lets applications arbitrary execute code with system privileges.
The one vulnerability discovered by Apple – CVE-2019-18634 – abused a buffer overflow issue allowing hackers to set configurations that would enable arbitrary code execution.
Apple have released patches for the vulnerabilities released this week and warn that: “Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.”
Instructions on how to update macOS can be found here.
The 360 Alpha team helped Apple to fix 0-click RCE & memory leak bugs in CoreBluetooth, which could allow attackers near by to remote control any Mac systems with zero interaction. https://t.co/JKEkVN8TRH
— mj0011 (@mj0011sec) January 28, 2020
Five of the vulnerabilities patched this week were discovered by Chinese security firm Qihoo 360 and its Alpha Lab. Four of these affected the core Bluetooth functionality within certain Apple products allowing an attacker to remotely terminate applications or more worryingly, remotely execute code.
The CSTO of Qihoo360 notes on Twitter that the vulnerability: “Could allow attackers nearby to remote control any Mac systems with zero interaction.”
Apple says that it has fixed a memory corruption (again) issue that was allowing remote access and an update has been rolled out for macOS High Sierra 10.13.6, macOS Mojave 10.14.6.
Dayton Pidhirney who found an a zero day that let applications execute arbitrary code with system privileges, took to Twitter last month to comment on the sheer amount of vulnerabilities he is sitting on and the work that is need to report them;
That feeling when you've got so many god damned 0days piling up to submit but literally zero time to write them up properly. They are headed for dense skulls that need everything on a silver platter…
Can I… pay someone to do this for me 🤔?
— Dayton Pidhirney (@_watbulb) December 27, 2019