image
Apple has released a slew of patches across its iOS and macOS operating systems, Safari browser, watchOS, tvOS and iTunes. The most serious flaw in this latest security update, released Tuesday, exists in the WebKit and could enable remote code execution. Of the CVEs disclosed, 30 affected Apple’s iOS, 11 impacted Safari and 27 affected macOS. Users for their part are urged to update to iOS 13.4, Safari 13.1 and macOS Catalina 10.15.3. While Apple typically is initially tight lipped when it comes to vulnerability details in security updates, it did outline eight flaws that were fixed in Apple’s WebKit browser engine, which could enable anything from cross-site scripting (XSS) attacks to remote code execution in iOS and Safari. The most severe of these vulnerabilities is a type confusion bug (CVE-2020-3897) in WebKit. Type confusion flaws are caused when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking. This specific flaw could be abused by a remote attacker – but user interaction is required to exploit the vulnerability in that the target must visit a malicious page or open a malicious file. “This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari,” Dustin Childs, manager with Zero Day Initiative, told Threatpost. “The specific flaw exists within the object transition cache. By performing actions in JavaScript, an attacker can trigger a type confusion…

Source