Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple updates software, fixes flaw affecting third-party keyboard apps

Apple last week released a series of software updates that repaired vulnerabilities in iOS, iPadOS, macOS Mojave, macOS High Sierra, macOS Sierra, watchOS, tvOS, Apple TV Software and Safari.

This included a fix for an iOS/iPadOS flaw that, due to improper sandbox restrictions, can grant third-party keyboard extensions full access to iPhone, iPad and iPod touch devices devices without user permission.

The company described the bug – officially designated CVE-2019-8779 – on an online support page: "Third-party keyboard extensions in iOS can be designed to run entirely standalone, without access to external services, or they can request 'full access' to provide additional features through network access. Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven't approved this access."

The Sept. 27 release of iOS and iPadOS versions 13.1.1 resolved this issue. Only three days earlier, Apple had issued version 13.1 of the operation systems, which fixed CVE-2019-8775, an issue in the VoiceOver component that allows individuals in possession of a device to access contacts from the lock screen.

Apple's Sept. 26 software release of MacOS Mojave 10.14.6 (supplemental update), High Sierra 10.13.6 and Sierra 10.12.6 fixed CVE-2019-8641, an out-of-bounds read condition that can allow remote application termination or arbitrary code execution. On the same day, Apple also issued security updates that fixed the very same vulnerability in iOS 12 and watchOS.

On Sept. 24, Apple also released Safari 13.0.1, an update that fixed a flaw that could lead to user interface spoofing and another that could leak users' private browsing history. The company also issued tvOS 13, repairing an authentication issue that could leak sensitive user information. Apple did not provide further details on the release of Apple TV Software 7.4.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.