About the security content of iOS 13.4 and iPadOS 13.4
This document describes the security content of iOS 13.4 and iPadOS 13.4.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
iOS 13.4 and iPadOS 13.4
Accounts
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9772: Allison Husain of UC Berkeley
ActionKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to use an SSH client provided by private frameworks
Description: This issue was addressed with a new entitlement.
CVE-2020-3917: Steven Troughton-Smith (@stroughtonsmith)
AppleMobileFileIntegrity
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-3883: Linus Henze (pinauten.de)
Bluetooth
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic
Description: A logic issue was addressed with improved state management.
CVE-2020-9770: Jianliang Wu of PurSec Lab of Purdue University, Xinwen Fu and Yue Zhang of the University of Central Florida
CoreFoundation
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A malicious application may be able to elevate privileges
Description: A permissions issue existed. This issue was addressed with improved permission validation.
CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG
Icons
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Setting an alternative app icon may disclose a photo without needing permission to access photos
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2020-3916: Vitaliy Alekseev (@villy21)
Image Processing
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with system privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9768: Mohamed Ghannam (@_simo36)
IOHIDFamily
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2020-3919: Alex Plaskett of F-Secure Consulting
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to read restricted memory
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2020-3914: pattern-f (@pattern_F_) of WaCai
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed with improved state management.
CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team
libxml2
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size validation.
CVE-2020-3910: LGTM.com
libxml2
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A local user may be able to view deleted content in the app switcher
Description: The issue was resolved by clearing application previews when content is deleted.
CVE-2020-9780: an anonymous researcher, Dimitris Chaintinis
Mail Attachments
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Cropped videos may not be shared properly via Mail
Description: An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video.
CVE-2020-9777
Messages
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled
Description: A logic issue was addressed with improved state management.
CVE-2020-3891: Peter Scott
Messages Composition
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Deleted messages groups may still be suggested as an auto-completion
Description: The issue was addressed with improved deletion.
CVE-2020-3890: an anonymous researcher
Safari
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A user's private browsing activity may be unexpectedly saved in Screen Time
Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.
CVE-2020-9775: Andrian (@retroplasma), Marat Turaev, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland
Safari
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A user may grant website permissions to a site they didn't intend to
Description: The issue was addressed by clearing website permission prompts after navigation.
CVE-2020-9781: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)
Sandbox
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A local user may be able to view sensitive user information
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2020-3918: an anonymous researcher, Augusto Alvarez of Outcourse Limited
Web App
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A maliciously crafted page may interfere with other web contexts
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3888: Darren Jones of Dappological Ltd.
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Some websites may not have appeared in Safari Preferences
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9787: Ryan Pickren (ryanpickren.com)
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to read restricted memory
Description: A race condition was addressed with additional validation.
CVE-2020-3894: Sergei Glazunov of Google Project Zero
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory consumption issue was addressed with improved memory handling.
CVE-2020-3899: found by OSS-Fuzz
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack
Description: An input validation issue was addressed with improved input validation.
CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2020-3895: grigoritchy
CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2020-3901: Benjamin Randazzo (@____benjamin)
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A download's origin may be incorrectly associated
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3887: Ryan Pickren (ryanpickren.com)
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9783: Apple
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative
WebKit Page Loading
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A file URL may be incorrectly processed
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3885: Ryan Pickren (ryanpickren.com)
Additional recognition
4FontParser
We would like to acknowledge Matthew Denton of Google Chrome for their assistance.
Kernel
We would like to acknowledge Siguza for their assistance.
LinkPresentation
We would like to acknowledge Travis for their assistance.
Notes
We would like to acknowledge Mike DiLoreto for their assistance.
rapportd
We would like to acknowledge Alexander Heinrich (@Sn0wfreeze) of Technische Universität Darmstadt for their assistance.
Safari Reader
We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance.
Sidecar
We would like to acknowledge Rick Backley (@rback_sec) for their assistance.
SiriKit
We would like to acknowledge Ioan Florescu and Ki Ha Nam for their assistance.
WebKit
We would like to acknowledge Emilio Cobos Álvarez of Mozilla, Samuel Groß of Google Project Zero, hearmen for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.