About the security content of iOS 13

This document describes the security content of iOS 13.

About Apple security updates

For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

iOS 13

Released 19 September 2019

Bluetooth

Available for: iPhone 6s and later

Impact: Notification previews may be shown on Bluetooth accessories even when previews are disabled

Description: A logic issue existed with the display of notification previews. This issue was addressed with improved validation.

CVE-2019-8711: Arjang of MARK ANTHONY GROUP INC., Cemil Ozkebapci (@cemilozkebapci) of Garanti BBVA, Oguzhan Meral of Deloitte Consulting, Ömer Bozdoğan-Ramazan Atıl Anadolu Lisesi Adana/TÜRKİYE

Call History

Available for: iPhone 6s and later

Impact: Deleted calls remained visible on the device

Description: The issue was addressed with improved data deletion.

CVE-2019-8732: Mohamad El-Zein Berlin

Entry added 18 November 2019

CFNetwork

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack

Description: This issue was addressed with improved checks.

CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland

Entry added 29 October 2019

CoreAudio

Available for: iPhone 6s and later

Impact: Processing a maliciously crafted movie may result in the disclosure of process memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative

CoreAudio

Available for: iPhone 6s and later

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative

Entry added 6 November 2019

CoreCrypto

Available for: iPhone 6s and later

Impact: Processing a large input may lead to a denial of service

Description: A denial-of-service issue was addressed with improved input validation.

CVE-2019-8741: Nicky Mouha of NIST

Entry added 29 October 2019

CoreMedia

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8825: Found by GWP-ASan in Google Chrome

Entry added 29 October 2019

Face ID

Available for: iPhone X and later

Impact: A 3D model constructed to look like the enrolled user may authenticate via Face ID

Description: This issue was addressed by improving Face ID machine learning models.

CVE-2019-8760: Wish Wu (吴潍浠 @wish_wu) of Ant-Financial Light-Year Security Lab

Foundation

Available for: iPhone 6s and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8641: Samuel Groß and natashenka of Google Project Zero

CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero

Entry updated 29 October 2019

IOUSBDeviceFamily

Available for: iPhone 6s and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8718: Joshua Hill and Sem Voigtländer

Entry added 29 October 2019

Kernel

Available for: iPhone 6s and later

Impact: an application may be able to gain elevated privileges

Description: This issue was addressed with improved entitlements.

CVE-2019-8703: an anonymous researcher

Entry added 16 March 2021

Kernel

Available for: iPhone 6s and later

Impact: A local app may be able to read a persistent account identifier

Description: A validation issue was addressed with improved logic.

CVE-2019-8809: Apple

Entry added 29 October 2019

Kernel

Available for: iPhone 6s and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)

Entry added 29 October 2019

Kernel

Available for: iPhone 6s and later

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8712: Mohamed Ghannam (@_simo36)

Entry added 29 October 2019

Kernel

Available for: iPhone 6s and later

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.

CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team

Entry added 29 October 2019

Kernel

Available for: iPhone 6s and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8717: Jann Horn of Google Project Zero

Entry added 8 October 2019

Keyboards

Available for: iPhone 6s and later

Impact: A local user may be able to leak sensitive user information

Description: An authentication issue was addressed with improved state management.

CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC

libxml2

Available for: iPhone 6s and later

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: Found by OSS-Fuzz

CVE-2019-8756: Found by OSS-Fuzz

Entry added 8 October 2019

Messages

Available for: iPhone 6s and later

Impact: A person with physical access to an iOS device may be able to access contacts from the lock screen

Description: The issue was addressed by restricting options offered on a locked device.

CVE-2019-8742: videosdebarraquito

Notes

Available for: iPhone 6s and later

Impact: A local user may be able to view a user’s locked notes

Description: The contents of locked notes sometimes appeared in search results. This issue was addressed with improved data clean-up.

CVE-2019-8730: Jamie Blumberg (@jamie_blumberg) of Virginia Polytechnic Institute and State University

Entry added 8 October 2019

PluginKit

Available for: iPhone 6s and later

Impact: A local user may be able to check for the existence of arbitrary files

Description: A logic issue was addressed with improved restrictions.

CVE-2019-8708: an anonymous researcher

Entry added 29 October 2019

PluginKit

Available for: iPhone 6s and later

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8715: an anonymous researcher

Entry added 29 October 2019

Quick Look

Available for: iPhone 6s and later

Impact: Processing a maliciously crafted file may disclose user information

Description: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation.

CVE-2019-8731: Saif Hamed Hamdan Al Hinai of Oman National CERT, Yiğit Can YILMAZ (@yilmazcanyigit)

Safari

Available for: iPhone 6s and later

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A logic issue was addressed with improved state management.

CVE-2019-8727: Divyanshu Shukla (@justm0rph3u5)

Entry updated 8 October 2019

UIFoundation

Available for: iPhone 6s and later

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative

Entry added 8 October 2019

WebKit

Available for: iPhone 6s and later

Impact: Maliciously crafted web content may violate iframe sandboxing policy

Description: This issue was addressed with improved iframe sandbox enforcement.

CVE-2019-8771: Eliya Stein of Confiant

Entry added 8 October 2019

WebKit

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to universal cross-site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

CVE-2019-8764: Sergei Glazunov of Google Project Zero

Entry added 8 October 2019, updated 29 October 2019

WebKit

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro’s Zero Day Initiative, cc working with Trend Micro’s Zero Day Initiative

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8734: Found by OSS-Fuzz

CVE-2019-8735: G. Geshev working with Trend Micro’s Zero Day Initiative

Entry added 8 October 2019, updated 29 October 2019

WebKit

Available for: iPhone 6s and later

Impact: A user may be unable to delete browsing history items

Description: “Clear History and Website Data” did not fully clear the history. The issue was addressed with improved data deletion.

CVE-2019-8768: Hugo S. Diaz (coldpointblue)

Entry added 8 October 2019

WebKit Page Loading

Available for: iPhone 6s and later

Impact: Processing maliciously crafted web content may lead to universal cross-site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8674: Sergei Glazunov of Google Project Zero

Entry updated 8 October 2019

Wi-Fi

Available for: iPhone 6s and later

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation

Entry added 4 December 2019

Additional recognition

AppleRTC

We would like to acknowledge Vitaly Cheptsov for their assistance.

Entry added 29 October 2019

Audio

We would like to acknowledge riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative for their assistance.

Entry added 29 October 2019

Bluetooth

We would like to acknowledge Jan Ruge of TU Darmstadt, Secure Mobile Networking Lab, Jiska Classen of TU Darmstadt, Secure Mobile Networking Lab, Francesco Gringoli of University of Brescia, Dennis Heinze of TU Darmstadt, Secure Mobile Networking Lab for their assistance.

boringssl

We would like to acknowledge Thijs Alkemade (@xnyhps) of Computest for their assistance.

Entry added 8 October 2019

Control Centre

We would like to acknowledge Brandon Sellers for their assistance.

HomeKit

We would like to acknowledge Tian Zhang for their assistance.

Entry added 29 October 2019

Kernel

We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.

Entry added 29 October 2019

Keyboard

We would like to acknowledge Sara Haradhvala of Harlen Web Consulting, an anonymous researcher for their assistance.

Entry updated 28 July 2020

Mail

We would like to acknowledge Kenneth Hyndycz for their assistance.

mDNSResponder

We would like to acknowledge Gregor Lang of e.solutions GmbH for their assistance.

Entry added 29 October 2019

Profiles

We would like to acknowledge Erik Johnson of Vernon Hills High School, James Seeley (@Code4iOS) of Shriver Job Corps for their assistance.

Entry updated 29 October 2019

SafariViewController

We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.

VPN

We would like to acknowledge Royce Gawron of Second Son Consulting, Inc. for their assistance.

Entry added 29 October 2019

WebKit

We would like to acknowledge MinJeong Kim of Information Security Lab, Chungnam National University, JaeCheol Ryou of Information Security Lab, Chungnam National University in South Korea, Yiğit Can YILMAZ (@yilmazcanyigit), Zhihua Yao of DBAPPSecurity Zion Lab, an anonymous researcher, cc working with Trend Micro’s Zero Day Initiative for their assistance.

Entry added 8 October 2019, updated 29 October 2019

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: