About the security content of iOS 12.4

This document describes the security content of iOS 12.4.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss or confirm security issues until an investigation has taken place and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

iOS 12.4

Bluetooth

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth – KNOB)

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany and Prof. Kasper Rasmussen of University of Oxford, England

The changes for this issue mitigate CVE-2020-10135.

Core Data

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: a remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

Core Data

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8647: Samuel Groß and natashenka of Google Project Zero

Core Data

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and natashenka of Google Project Zero

FaceTime

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu

Found in Apps

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: a remote attacker may be able to leak memory

Description: This issue was addressed with improved checks.

CVE-2019-8663: natashenka of Google Project Zero

Game Center

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A local user may be able to read a persistent account identifier

Description: This issue was addressed with a new entitlement.

CVE-2019-8702: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

Heimdal

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: An issue existed in Samba that may allow attackers to perform unauthorised actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorised actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

Image Processing

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A denial-of-service issue was addressed with improved validation.

CVE-2019-8668: an anonymous researcher

libxslt

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

Messages

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A remote attacker may cause an unexpected application termination

Description: A denial-of-service issue was addressed with improved validation.

CVE-2019-8665: Michael Hernandez of XYZ Marketing

Profiles

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A malicious application may be able to restrict access to websites

Description: a validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.

CVE-2019-8698: Luke Deshotels, Jordan Beichler and William Enck of North Carolina State University; Costin Carabaș and Răzvan Deaconescu of University POLITEHNICA of Bucharest

Quick Look

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: An attacker may be able to trigger a use-after-free in an application deserialising an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: natashenka and Samuel Groß of Google Project Zero

Siri

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: a remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

Telephony

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: The initiator of a phone call may be able to cause the recipient to answer a simultaneous Walkie-Talkie connection

Description: A logic issue existed in the answering of phone calls. The issue was addressed with improved state management.

CVE-2019-8699: Marius Alexandru Boeru (@mboeru) and an anonymous researcher

UIFoundation

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: an out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Wallet

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: A user may inadvertently complete an in-app purchase while on the lock screen

Description: the issue was addressed with improved UI handling.

CVE-2019-8682: Jeff Braswell (JeffBraswell.com)

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: Processing maliciously crafted web content may lead to universal cross-site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation, P1umer of ADLab of Venustech

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

Additional recognition

Game Center

We would like to acknowledge Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc. for their assistance.

MobileInstallation

We would like to acknowledge Dany Lisiansky (@DanyL931) for their assistance.