Apple Security Updates Tackle iOS Device Tracking, RCE Flaws | Threatpost

Apple’s latest security fixes, released Tuesday, tackle a wide range of bugs, including several patches for high-risk flaws that could allow for remote code execution (RCE). Of particular interest to privacy-minded iPhone 11 users is an iOS 13.3.1 update that allows users to turn off U1 Ultra-Wideband device tracking.

The fixes address vulnerabilities in Apple’s Xcode, watchOS, Safari, iTunes for Windows, iOS, iPadOS, macOS and tvOS. The most severe of the bugs include four RCE flaws in Apple TV’s operating system, tvOS – each rated high-severity.

Tracked as CVE-2020-3868, one tvOS RCE bug has a CVSS severity score of 8.8 out of 10, the highest among those patched Tuesday. The bug is tied to multiple memory corruption issues in Apple’s browser engine, WebKit. “By persuading a victim to visit a specially crafted website, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service,” according a description of the flaw.

The other tvOS code execution bugs (CVE-2020-3840, CVE-2020-3870, CVE-2020-3878) all have a CVSS rating of 7.8. Two of the RCE vulnerabilities are tied to Imageio Python libraries tvOS, and the other is tied to Apple’s use of the secure network protocol suite IPSec.

Off Switch for Tracking via U1 Ultra Wideband

Last December, KrebsOnSecurity first reported a tracking mechanism in the iPhone 11 family of handsets. The tracking took place whether or not an iPhone 11 user turned off the handset’s location services. After some sleuthing by the site’s author, Brian Krebs, he determined the tracking feature was tied to the use of Apple’s own U1 chip, which was introduced in 2019 and used for the first time in iPhone 11S.

The U1 chips uses Ultra-Wideband technology and aims to improve the performance of Apple services such as AirDrop. The U1 goes so far as to provide precise location and spatial awareness of the iPhone 11’s position relative to other Apple devices in the same room. This allows someone to point their iPhone 11 at another iPhone 11 and have that device automatically show up at the top of the AirDrop list for transferring files – no manual discovery needed.

Users voiced concerns that the new chip allowed for tracking iPhone 11 users’ locations. To address the issue, Apple has now added a switch to disable location tracking for networking and wireless functions. With the release of iOS 13.3.1, users can now turn off the tracking feature, either when turning off location services or selectively. To turn it off, users can go to Settings > Privacy > Location Services > System Services.

Tuesday’s security updates come on the heels of several staggered iOS 13 updates. In their wake, Apple has faced criticism for what critics see as a piecemeal release of the OS. Last month Apple updated the OS to iOS 13.3, which marked the third update to the iOS and iPadOS 13 since it debuted in on Sept. 19. Since iOS 13’s release, Apple has also had to issue a number of security patches, including ones for a keyboard bug and a lock-screen bypass flaw.