- Apple has released iOS 13.6, and it comes with bug fixes for 29 critical and medium security flaws.
- The vulnerabilities are spread across multiple system components, so updating as soon as possible is critical.
- A new feature that comes with this update is the “CarKey,” while Apple has also added options for automatic updates.
We understand that Apple fans are eagerly waiting for the iOS 14 and all the goodies that will come with its release, but iOS 13.x is not a thing of the past yet, and it won’t be for the next couple of months. That said, Apple has released the sixth bug-fixing version of the thirteenth branch, plugging 29 holes that you wouldn’t want to keep open.
Of course, iPadOS 13.6 was also released along with the iOS spin, both addressing the same vulnerabilities.
The most common type of flaw that was discovered and addressed with 13.6 is the “arbitrary code execution,” affecting audio components, the AVEVideoEncoder, iAP, ImageIO, the system kernel, Model I/O, and WebKit. In many of these cases, the attacker would have to convince the target to open a specially crafted file (audio, image, executable, etc.). Doing that would pave the way to memory corruption alleys, out-of-bounds reads, and buffer overflows, enabling the malicious actor to run code with high privileges.
Other flaw types include denial of service in the Bluetooth and WiFi components, the disclosure of sensitive information in CoreFoundation, the ability to break out of sandbox environments through the Crash Reporter, bypassing memory mitigations on the kernel, rejoining iMessage groups after being removed, and causing wireless connection termination.
The most critical flaws that we could discern among all entries are the “CVE-2019-14899” and “CVE-2020-9903.” The first lies in the system kernel and could enable an attacker in a privileged network position to inject into active connections within a VPN tunnel. This flaw was addressed by implementing more stringent restrictions.
The second flaw concerns the Safari Login AutoFill system, and could possibly enable a malicious hacker to cause the browser to suggest a password when in the wrong domain. This could lead to sensitive information disclosure without the user ever realizing it.
Besides the fixes that came with version 13.6, Apple has added an option for automatic iOS update downloads and installation (two individual settings). Both switches are toggled to “on” by default, which is the more security-conscious path to take.
As for new features, the only one that has arrived in iOS 13.6 is the “CarKey,” which we initially expected to see in iOS 14. It looks like Apple had this ready, so they pushed it with the latest bug-fixing update.