Apple on Monday released iOS 12.2 to patch a total of 51 security vulnerabilities in its mobile operating system that affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
A majority of vulnerabilities Apple patched this month reside in its web rendering engine WebKit, which is used by many apps and web browsers running on the Apple’s operating system.
According to the advisory, just opening a maliciously crafted web content using any vulnerable WebKit-based application could allow remote attackers to execute arbitrary code, disclose sensitive user information, bypass sandbox restrictions, or launch universal cross-site scripting attacks on the device.
Among the WebKit vulnerabilities include a consistency issue (CVE-2019-6222) that allows malicious websites to potentially access an iOS device microphone without the “microphone-in-use” indicator being shown.
A similar vulnerability (CVE-2019-8566) has been patched in Apple’s ReplayKit API that could allow a malicious application to access the iOS device’s microphone without alerting the user.
“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” Apple says in its advisory briefing the ReplayKit bug.
Apple has also patched a serious logical bug (CVE-2019-8503) in WebKit that could have allowed malicious websites to execute scripts in the context of another site, allowing them to steal your information stored on other sites or launch a wide-range of online attacks.
Besides WebKit issues, the advisory also revealed the existence of a critical flaw in earlier iOS versions that could lead to arbitrary code execution just by convincing victims into clicking a malicious SMS link.
images from Hacker News