About the security content of iOS 13

This document describes the security content of iOS 13.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

iOS 13

Released September 19, 2019

Bluetooth

Available for: iPhone 6s and later

Impact: Notification previews may show on Bluetooth accessories even when previews are disabled

Description: A logic issue existed with the display of notification previews. This issue was addressed with improved validation.

CVE-2019-8711: Arjang of MARK ANTHONY GROUP INC., Cemil Ozkebapci (@cemilozkebapci) of Garanti BBVA, Oguzhan Meral of Deloitte Consulting, Ömer Bozdoğan-Ramazan Atıl Anadolu Lisesi Adana/TÜRKİYE

CoreAudio

Available for: iPhone 6s and later

Impact: Processing a maliciously crafted movie may result in the disclosure of process memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Face ID

Available for: iPhone X and later

Impact: A 3D model constructed to look like the enrolled user may authenticate via Face ID

Description: This issue was addressed by improving Face ID machine learning models.

CVE-2019-8760: Wish Wu (吴潍浠 @wish_wu) of Ant-financial Light-Year Security Lab

Foundation

Available for: iPhone 6s and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero

Kernel

Available for: iPhone 6s and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8717: Jann Horn of Google Project Zero

Entry added October 8, 2019

Keyboards

Available for: iPhone 6s and later

Impact: A local user may be able to leak sensitive user information

Description: An authentication issue was addressed with improved state management.

CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC

libxml2

Available for: iPhone 6s and later

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: found by OSS-Fuzz

CVE-2019-8756: found by OSS-Fuzz

Entry added October 8, 2019

Messages

Available for: iPhone 6s and later

Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen

Description: The issue was addressed by restricting options offered on a locked device.

CVE-2019-8742: videosdebarraquito

Notes

Available for: iPhone 6s and later

Impact: A local user may be able to view a user’s locked notes

Description: The contents of locked notes sometimes appeared in search results. This issue was addressed with improved data cleanup.

CVE-2019-8730: Jamie Blumberg (@jamie_blumberg) of Virginia Polytechnic Institute and State University

Entry added October 8, 2019

Quick Look

Available for: iPhone 6s and later

Impact: Processing a maliciously crafted file may disclose user information

Description: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation.

CVE-2019-8731: Saif Hamed Hamdan Al Hinai of Oman National CERT, Yiğit Can YILMAZ (@yilmazcanyigit)

Safari

Available for: iPhone 6s and later

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A logic issue was addressed with improved state management.

CVE-2019-8727: Divyanshu Shukla (@justm0rph3u5)

Entry updated October 8, 2019

UIFoundation

Available for: iPhone 6s and later

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

WebKit

Available for: iPhone 6s and later

Impact: Maliciously crafted web content may violate iframe sandboxing policy

Description: This issue was addressed with improved iframe sandbox enforcement.

CVE-2019-8771: Eliya Stein of Confiant

Entry added October 8, 2019

WebKit

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

Entry added October 8, 2019

WebKit

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative

CVE-2019-8720: Wen Xu of SSLab at Georgia Tech

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative

Entry added October 8, 2019

WebKit

Available for: iPhone 6s and later

Impact: A user may be unable to delete browsing history items

Description: "Clear History and Website Data" did not fully clear the history. The issue was addressed with improved data deletion.

CVE-2019-8768: Hugo S. Diaz (coldpointblue)

Entry added October 8, 2019

WebKit Page Loading

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8674: Sergei Glazunov of Google Project Zero

Entry updated October 8, 2019

Additional recognition

Bluetooth

We would like to acknowledge Jan Ruge of TU Darmstadt, Secure Mobile Networking Lab, Jiska Classen of TU Darmstadt, Secure Mobile Networking Lab, Francesco Gringoli of University of Brescia, Dennis Heinze of TU Darmstadt, Secure Mobile Networking Lab for their assistance.

boringssl

We would like to acknowledge Thijs Alkemade (@xnyhps) of Computest for their assistance.

Entry added October 8, 2019

Control Center

We would like to acknowledge Brandon Sellers for their assistance.

Keyboard

We would like to acknowledge an anonymous researcher for their assistance.

Mail

We would like to acknowledge Kenneth Hyndycz for their assistance.

Profiles

We would like to acknowledge James Seeley (@Code4iOS) of Shriver Job Corps for their assistance.

SafariViewController

We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.

WebKit

We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit), Zhihua Yao of DBAPPSecurity Zion Lab, an anonymous researcher for their assistance.

Entry added October 8, 2019

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: