About the security content of iOS 13
This document describes the security content of iOS 13.
About Apple security updates
For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
iOS 13
Bluetooth
Available for: iPhone 6s and later
Impact: Notification previews may be shown on Bluetooth accessories even when previews are disabled
Description: A logic issue existed with the display of notification previews. This issue was addressed with improved validation.
CVE-2019-8711: Arjang of MARK ANTHONY GROUP INC., Cemil Ozkebapci (@cemilozkebapci) of Garanti BBVA, Oguzhan Meral of Deloitte Consulting, Ömer Bozdoğan-Ramazan Atıl Anadolu Lisesi Adana/TÜRKİYE
Call History
Available for: iPhone 6s and later
Impact: Deleted calls remained visible on the device
Description: The issue was addressed with improved data deletion.
CVE-2019-8732: Mohamad El-Zein Berlin
CFNetwork
Available for: iPhone 6s and later
Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack
Description: This issue was addressed with improved checks.
CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland
CoreAudio
Available for: iPhone 6s and later
Impact: Processing a maliciously crafted movie may result in the disclosure of process memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
CoreAudio
Available for: iPhone 6s and later
Impact: Playing a malicious audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
CoreCrypto
Available for: iPhone 6s and later
Impact: Processing a large input may lead to a denial of service
Description: A denial-of-service issue was addressed with improved input validation.
CVE-2019-8741: Nicky Mouha of NIST
CoreMedia
Available for: iPhone 6s and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8825: Found by GWP-ASan in Google Chrome
Face ID
Available for: iPhone X and later
Impact: A 3D model constructed to look like the enrolled user may authenticate via Face ID
Description: This issue was addressed by improving Face ID machine learning models.
CVE-2019-8760: Wish Wu (吴潍浠 @wish_wu) of Ant-Financial Light-Year Security Lab
Foundation
Available for: iPhone 6s and later
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8641: Samuel Groß and natashenka of Google Project Zero
CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero
IOUSBDeviceFamily
Available for: iPhone 6s and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8718: Joshua Hill and Sem Voigtländer
Kernel
Available for: iPhone 6s and later
Impact: an application may be able to gain elevated privileges
Description: This issue was addressed with improved entitlements.
CVE-2019-8703: an anonymous researcher
Kernel
Available for: iPhone 6s and later
Impact: A local app may be able to read a persistent account identifier
Description: A validation issue was addressed with improved logic.
CVE-2019-8809: Apple
Kernel
Available for: iPhone 6s and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)
Kernel
Available for: iPhone 6s and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8712: Mohamed Ghannam (@_simo36)
Kernel
Available for: iPhone 6s and later
Impact: A malicious application may be able to determine kernel memory layout
Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.
CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team
Kernel
Available for: iPhone 6s and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8717: Jann Horn of Google Project Zero
Keyboards
Available for: iPhone 6s and later
Impact: A local user may be able to leak sensitive user information
Description: An authentication issue was addressed with improved state management.
CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC
libxml2
Available for: iPhone 6s and later
Impact: Multiple issues in libxml2
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2019-8749: Found by OSS-Fuzz
CVE-2019-8756: Found by OSS-Fuzz
Messages
Available for: iPhone 6s and later
Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen
Description: The issue was addressed by restricting options offered on a locked device.
CVE-2019-8742: videosdebarraquito
Notes
Available for: iPhone 6s and later
Impact: A local user may be able to view a user’s locked notes
Description: The contents of locked notes sometimes appeared in search results. This issue was addressed with improved data clean-up.
CVE-2019-8730: Jamie Blumberg (@jamie_blumberg) of Virginia Polytechnic Institute and State University
PluginKit
Available for: iPhone 6s and later
Impact: A local user may be able to check for the existence of arbitrary files
Description: A logic issue was addressed with improved restrictions.
CVE-2019-8708: an anonymous researcher
PluginKit
Available for: iPhone 6s and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8715: an anonymous researcher
Quick Look
Available for: iPhone 6s and later
Impact: Processing a maliciously crafted file may disclose user information
Description: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation.
CVE-2019-8731: Saif Hamed Hamdan Al Hinai of Oman National CERT, Yiğit Can YILMAZ (@yilmazcanyigit)
Safari
Available for: iPhone 6s and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A logic issue was addressed with improved state management.
CVE-2019-8727: Divyanshu Shukla (@justm0rph3u5)
UIFoundation
Available for: iPhone 6s and later
Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
WebKit
Available for: iPhone 6s and later
Impact: Maliciously crafted web content may violate iframe sandboxing policy
Description: This issue was addressed with improved iframe sandbox enforcement.
CVE-2019-8771: Eliya Stein of Confiant
WebKit
Available for: iPhone 6s and later
Impact: Processing maliciously crafted web content may lead to universal cross-site scripting
Description: A logic issue was addressed with improved state management.
CVE-2019-8625: Sergei Glazunov of Google Project Zero
CVE-2019-8719: Sergei Glazunov of Google Project Zero
CVE-2019-8764: Sergei Glazunov of Google Project Zero
WebKit
Available for: iPhone 6s and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-8707: an anonymous researcher working with Trend Micro’s Zero Day Initiative, cc working with Trend Micro’s Zero Day Initiative
CVE-2019-8726: Jihui Lu of Tencent KeenLab
CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation
CVE-2019-8733: Sergei Glazunov of Google Project Zero
CVE-2019-8734: Found by OSS-Fuzz
CVE-2019-8735: G. Geshev working with Trend Micro’s Zero Day Initiative
WebKit
Available for: iPhone 6s and later
Impact: A user may be unable to delete browsing history items
Description: “Clear History and Website Data” did not fully clear the history. The issue was addressed with improved data deletion.
CVE-2019-8768: Hugo S. Diaz (coldpointblue)
WebKit Page Loading
Available for: iPhone 6s and later
Impact: Processing maliciously crafted web content may lead to universal cross-site scripting
Description: A logic issue was addressed with improved state management.
CVE-2019-8674: Sergei Glazunov of Google Project Zero
Wi-Fi
Available for: iPhone 6s and later
Impact: A device may be passively tracked by its Wi-Fi MAC address
Description: A user privacy issue was addressed by removing the broadcast MAC address.
CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation
Additional recognition
AppleRTC
We would like to acknowledge Vitaly Cheptsov for their assistance.
Audio
We would like to acknowledge riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative for their assistance.
Bluetooth
We would like to acknowledge Jan Ruge of TU Darmstadt, Secure Mobile Networking Lab, Jiska Classen of TU Darmstadt, Secure Mobile Networking Lab, Francesco Gringoli of University of Brescia, Dennis Heinze of TU Darmstadt, Secure Mobile Networking Lab for their assistance.
boringssl
We would like to acknowledge Thijs Alkemade (@xnyhps) of Computest for their assistance.
Control Centre
We would like to acknowledge Brandon Sellers for their assistance.
HomeKit
We would like to acknowledge Tian Zhang for their assistance.
Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.
Keyboard
We would like to acknowledge Sara Haradhvala of Harlen Web Consulting, an anonymous researcher for their assistance.
We would like to acknowledge Kenneth Hyndycz for their assistance.
mDNSResponder
We would like to acknowledge Gregor Lang of e.solutions GmbH for their assistance.
Profiles
We would like to acknowledge Erik Johnson of Vernon Hills High School, James Seeley (@Code4iOS) of Shriver Job Corps for their assistance.
SafariViewController
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
VPN
We would like to acknowledge Royce Gawron of Second Son Consulting, Inc. for their assistance.
WebKit
We would like to acknowledge MinJeong Kim of Information Security Lab, Chungnam National University, JaeCheol Ryou of Information Security Lab, Chungnam National University in South Korea, Yiğit Can YILMAZ (@yilmazcanyigit), Zhihua Yao of DBAPPSecurity Zion Lab, an anonymous researcher, cc working with Trend Micro’s Zero Day Initiative for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.