Apple last week released a series of software updates that repaired vulnerabilities in iOS, iPadOS, macOS Mojave, macOS High Sierra, macOS Sierra, watchOS, tvOS, Apple TV Software and Safari.
This included a fix for an iOS/iPadOS flaw that, due to improper sandbox restrictions, can grant third-party keyboard extensions full access to iPhone, iPad and iPod touch devices devices without user permission.
The company described the bug – officially designated CVE-2019-8779 – on an online support page: "Third-party keyboard extensions in iOS can be designed to run entirely standalone, without access to external services, or they can request 'full access' to provide additional features through network access. Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven't approved this access."
The Sept. 27 release of iOS and iPadOS versions 13.1.1 resolved this issue. Only three days earlier, Apple had issued version 13.1 of the operation systems, which fixed CVE-2019-8775, an issue in the VoiceOver component that allows individuals in possession of a device to access contacts from the lock screen.
Apple's Sept. 26 software release of MacOS Mojave 10.14.6 (supplemental update), High Sierra 10.13.6 and Sierra 10.12.6 fixed CVE-2019-8641, an out-of-bounds read condition that can allow remote application termination or arbitrary code execution. On the same day, Apple also issued security updates that fixed the very same vulnerability in iOS 12 and watchOS.
On Sept. 24, Apple also released Safari 13.0.1, an update that fixed a flaw that could lead to user interface spoofing and another that could leak users' private browsing history. The company also issued tvOS 13, repairing an authentication issue that could leak sensitive user information. Apple did not provide further details on the release of Apple TV Software 7.4.
