Apple released today security updates for iOS, fixing 51 vulnerabilities in version 12.2 of the operating system. The products impacted are iPhone 5s and later, iPad Air and newer, 6th generation iPods.

Products running tvOS - Apple TV 4K and Apple TV HD, which is based on iOS to a large degree, should be updated to 12.2 as they are also affected by 36 of the same vulnerabilities.

The list of patches covers a wide variety of bugs an adversary could potentially manipulate to obtain effects like denial-of-service, privilege escalation, and information disclosure to gaining root privileges, overwriting arbitrary files, or executing code of the attacker's choice.

19 issues reported in Webkit

Referring to a batch of serious memory corruption vulnerabilities addressed in iOS 12.2, Alex Stamos, reputed security professional, and former chief security officer at Facebook, noted that maybe Apple's big media events should not coincide with their round of bug fixes

Apple fixed some really serious bugs in iOS 12.2. Update now!



Once again, this raises the question of whether Apple should tie their security patch schedule to major media events. This isn't "Patch Tuesday", it's "Patch Keynote". pic.twitter.com/F8fCoJmh2v — Alex Stamos (@alexstamos) March 25, 2019

By far, most of the vulnerabilities were in Webkit, the web browser engine Apple uses in many of its products, including Safari, Mail, and App Store.

Most prevalent among them were memory corruption bugs that could be exploited to lead to arbitrary code execution via processing maliciously crafted web content.

Apple dealt with these errors by improving memory handling, state, and management.

Another memory-related problem, tracked as CVE-2019-8562, could be leveraged to allow a process to bypass sandbox restrictions. In this case, the solution was to improve validation checks.

Also affecting Webkit in previous versions of iOS is a flaw (CVE-2019-6222) that permits websites to access the microphone without showing any sign of the active state.

The same effect would be obtained through a separate bug (CVE-2019-8566) in ReplayKit component for recording or streaming video from the screen, and audio from an app or straight from the microphone.

Apple's list of security improvements for the current iOS release informs that an attacker could use two vulnerabilities for universal cross-site scripting (XSS) - CVE-2019-8551, and to learn sensitive user information (CVE-2019-8515).

Additionally, an adversary could take advantage of a different Webkit bug (CVE-2019-8503) that allows a website to execute scripts in the context of another website.

Kernel trouble and malicious SMS

Six issues affect the kernel in earlier iOS versions, which could cause a system crash or corruption (CVE-2019-8527), allow malicious apps to read memory layout (CVE-2019-8540, CVE-2019-6207, CVE-2019-8510), or gain elevated privileges (CVE-2019-8514).

Exploiting CVE-2019-7293 enables a local user to read kernel memory and extract sensitive information present there.

An interesting vulnerability reported by an anonymous researcher is CVE-2019-8553, which affects the GeoServices component.

Apple's brief explanation of its impact notes that an attacker could send the victim a "malicious SMS link" to obtain arbitrary code execution.

Apple's inventory of security patches is impressive not only because of the high number of problems being addressed, but also through the seriousness of some of the vulnerabilities. Applying these updates should happen as soon as possible, as they pose significant risks to the security of the products they affect.