After just under a week, Apple has now released the first details on security vulnerabilities that are intended to eliminate the manufacturer’s latest updates. The company also states that two vulnerabilities in Mail have been eliminated – both by iOS 13.5 and iOS 12.4.7, which users of older models such as the iPhone 6 and iPhone 5s can install.
At the same time, the Federal Office for Information Security (BSI) gave the all-clear for e-mail clients preinstalled in iOS and iPadOS: After installing the latest system updates, the app mail can be used again. The security company ZecOps, which Apple pointed out the gaps, had already announced earlier in the week that the weaknesses in Apple Mail were completely eliminated by the updates.
Updates for all operating systems – and Windows software
The updates that Apple has released for iOS, iPadOS, watchOS, tvOS, macOS, the Safari browser, the iCloud client as well as iTunes for Windows and the Windows migration assistant for macOS Catalina are intended to address a long list of other vulnerabilities, such as themselves in the now read the Group’s support documents available in English. With the release, the company had apparently been waiting for the release of macOS 10.15.5 and the security updates for older macOS versions, which were made available for download on Wednesday night.
In the information, the group warns of errors that could allow remote attackers to execute malicious code, for example in connection with the browser engine WebKit and Python. Attacks from a distance are also possible via vulnerabilities in the Bluetooth and WLAN radio interfaces, according to the support documents. Chinese security researchers have also pointed out to Apple several kernel vulnerabilities that may allow apps to run malicious code with kernel rights – these are also said to be blocked.
Unpatched kernel vulnerability in iOS 13.5
In the current versions iOS / iPadOS 13.5 and tvOS 13.4.5 there is an as yet unresolved kernel vulnerability that is already used for a jailbreak. It allows a local attacker to gain admin rights warns the BSI and classifies the risk as “very high”. When Apple will provide another patch for this is initially unclear.