About the security content of iOS 13.1 and iPadOS 13.1
This document describes the security content of iOS 13.1 and iPadOS 13.1.
About Apple security updates
For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
iOS 13.1 and iPadOS 13.1
iOS 13.1 and iPadOS 13.1 include the security content of iOS 13.
AppleFirmwareUpdateKext
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2019-8747: Mohamed Ghannam (@_simo36)
Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8706: Yu Zhou of Ant-Financial Light-Year Security Lab
Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8850: Anonymous working with Trend Micro’s Zero Day Initiative
Books
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial of service
Description: A resource exhaustion issue was addressed with improved input validation.
CVE-2019-8774: Gertjan Franken imec-DistriNet of KU Leuven
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2019-8740: Mohamed Ghannam (@_simo36)
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A local app may be able to read a persistent account identifier
Description: A validation issue was addressed with improved logic.
CVE-2019-8809: Apple
Kernel
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A malicious application may be able to determine kernel memory layout
Description: The issue was addressed with improved permissions logic.
CVE-2019-8780: Siguza
libxslt
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Multiple issues in libxslt
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2019-8750: found by OSS-Fuzz
mDNSResponder
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications
Description: This issue was resolved by replacing device names with a random identifier.
CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt
Shortcuts
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An attacker in a privileged network position may be able to intercept SSH traffic from the “Run script over SSH” action
Description: This issue was addressed by verifying host keys when connecting to a previously-known SSH server.
CVE-2019-8901: an anonymous researcher
UIFoundation
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative
VoiceOver
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen
Description: The issue was addressed by restricting options offered on a locked device.
CVE-2019-8775: videosdebarraquito
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Visiting a maliciously crafted website may reveal browsing history
Description: An issue existed in the drawing of web page elements. The issue was addressed with improved logic.
CVE-2019-8769: Piérre Reimertz (@reimertz)
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-8710: found by OSS-Fuzz
CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group
CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech
CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech
CVE-2019-8763: Sergei Glazunov of Google Project Zero
CVE-2019-8765: Samuel Groß of Google Project Zero
CVE-2019-8766: found by OSS-Fuzz
CVE-2019-8773: found by OSS-Fuzz
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A validation issue was addressed with improved logic.
CVE-2019-8762: Sergei Glazunov of Google Project Zero
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2020-9932: Dongzhuo Zhao working with ADLab of Venustech
Additional recognition
boringssl
We would like to acknowledge Nimrod Aviram of Tel Aviv University, Robert Merget of Ruhr University Bochum, Juraj Somorovsky of Ruhr University Bochum for their assistance.
Find My iPhone
We would like to acknowledge an anonymous researcher for their assistance.
Identity Service
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Kernel
We would like to acknowledge Vlad Tsyrklevich for their assistance.
Notes
We would like to acknowledge an anonymous researcher for their assistance.
Photos
We would like to acknowledge Peter Scott of Sydney, Australia for their assistance.
Share Sheet
We would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt for their assistance.
Status Bar
We would like to acknowledge Isaiah Kahler, Mohammed Adham, an anonymous researcher for their assistance.
Telephony
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.