Security News > 2020 > July > Apple Patches Multiple Code Execution Flaws in Audio Components

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems.

The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS. The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.

All of the vulnerabilities could be exploited by supplying a maliciously crafted audio file to ultimately execute arbitrary code on the affected systems.

iOS 13.6 and iPadOS 13.6 address a total of 29 vulnerabilities, including most of those patched in macOS. The platforms also include patches for bugs in Bluetooth, GeoServices, iAP, Kernel, Safari Login AutoFill, Safari Reader, WebKit, WebKit Page Loading, WebKit Web Inspector, and Wi-Fi. These could lead to code execution, mitigation bypass, denial of service, application termination, bypass of Same Origin Policy, prevention of Content Security Policy enforcement, Pointer Authentication bypass, or command injection.

Safari 13.1.2, available for macOS Mojave and macOS High Sierra, and included in macOS Catalina, brings fixes for a total of 11 flaws in Safari Downloads, Login AutoFill, Reader, WebKit, WebKit Page Loading, and WebKit Web Inspector.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/L9B_6b0m69g/apple-patches-multiple-code-execution-flaws-audio-components