Security fixes: Apple fixes countless vulnerabilities – including first in C1

Apple's operating system updates for iPhone, Mac, iPad, Apple Watch, Apple TV and Vision Pro published on Monday evening once again contain a whole bundle of security-related bug fixes. Some bugs are critical, and a gap in Apple's C1 cellular modem introduced with the iPhone 16e was discovered and closed for the first time. Older operating systems also received an update, but as usual, not with all fixes.

iOS 18.5 and iPadOS 18.5

The updates to iOS 18.5 (iPhone) and iPadOS 18.5 (iPad) come with over 30 bug fixes detailed by Apple. In addition, there are 15 “credits”, where Apple only mentions the area in which a fix has been incorporated, but does not provide any further information apart from the details of the respective reporter. This is usually done weeks or months later – apparently to prevent exploits from being developed (too quickly), even though security experts always reject such “security through obscurity”.

At least two of the vulnerabilities cited by Apple – one in the kernel and one in the security framework – can be exploited remotely to terminate apps or read out memory. The areas that received fixes include the AppleJPEG image reading routine (manipulated files could damage process memory and cause apps to crash), in Core Bluetooth (sensitive user data could be leaked), in CoreGraphics (ditto), CoreMedia (app crash) as well as FaceTime (denial of service) and iCloud document sharing (attacker could share folders without logging in). The WebKit browser engine, mDNSResponder and other system components also contained errors, some of which were critical. Interesting: For the first time, Apple was notified of a bug in the C1-Chip, which was also fixed. With the iPhone 16e, it was therefore possible for an attacker to eavesdrop on data traffic, but only if they were in a “privileged network positon”. Apple does not specify what this means specifically – for example, whether the person had to be in the WLAN or in the mobile network itself –.

macOS 15.5, Safari and other systems

Apple lists over 45 fixed bug areas in macOS 15.5. The company has not (yet) communicated details on more than a dozen others. In addition to the problems fixed in iOS 18.5 and iPadOS 18.5, the afp daemon (bug could lead to a system crash), Apple Intelligence (AI reports were accessible to apps), BOM and Audio (crashes caused by web content and apps), Finder (access to sensitive data by apps), ProRes (system and kernel crashes) and Sandbox (data protection gaps) are affected. Numerous bugs in WebKit have also been fixed.

For older systems, macOS 13.7.6 (Ventura) and macOS 14.7.6 are available for download. They fix some gaps from macOS 15. Some fixes are also being delivered for iPadOS 17 in the form of iPadOS 17.7.7. Safari 18.5, which is part of macOS 15.5, is also available for Ventura and Sonoma as a single update that contains the WebKit bug fixes. The Apple Watch (watchOS 11.5), Apple TV (tvOS 18.5 and Vision Pro (visionOS 2.5) should also be updated urgently. Many of the problems fixed in iOS 18.5 and macOS 15.5 are also addressed in the other systems.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)