About the security content of Safari 13.1.2
This document describes the security content of Safari 13.1.2.
About Apple security updates
For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Safari 13.1.2
Safari
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: Visiting a malicious website may lead to address bar spoofing
Description: an inconsistent user interface issue was addressed with improved state management.
CVE-2020-9942: an anonymous researcher, Rahul d Kankrale (servicenger.com), Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter, Ruilin Yang of Tencent Security Xuanwu Lab, YoKo Kho (@YoKoAcc) of PT Telekomunikasi Indonesia (Persero) Tbk and Zhiyang Zeng (@Wester) of OPPO ZIWU Security Lab
Safari Downloads
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: a malicious attacker may be able to change the origin of a frame for a download in Safari Reader mode
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9912: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
Safari Login AutoFill
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
Safari Reader
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: An issue in Safari Reader mode may allow a remote attacker to bypass the Same Origin Policy
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
WebKit
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative
WebKit
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
CVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon
WebKit
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: Processing maliciously crafted web content may lead to universal cross-site scripting
Description: A logic issue was addressed with improved state management.
CVE-2020-9925: an anonymous researcher
WebKit
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
CVE-2020-9895: Wen Xu of SSLab, Georgia Tech
WebKit
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
Description: Multiple issues were addressed with improved logic.
CVE-2020-9910: Samuel Groß of Google Project Zero
WebKit Page Loading
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: A malicious attacker may be able to conceal the destination of a URL
Description: A URL Unicode encoding issue was addressed with improved state management.
CVE-2020-9916: Rakesh Mane (@RakeshMane10)
WebKit Web Inspector
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: Copying a URL from Web Inspector may lead to command injection
Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
CVE-2020-9862: Ophir Lojkine (@lovasoa)
WebRTC
Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina
Impact: an attacker in a privileged network position may be able to cause heap corruption via a crafted SCTP stream
Description: A memory corruption issue was addressed with improved state management.
CVE-2020-6514: natashenka of Google Project Zero
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.