Apple released iOS 12.2 to patch 51 security vulnerabilities which affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Majority of vulnerabilities resides in its web rendering engine WebKit, which is used by many apps and web browsers.
According to the advisory, just opening a malicious website using any WebKit-based application could allow remote attackers to execute arbitrary code, disclose sensitive user information, bypass sandbox restrictions, or launch universal cross-site scripting attacks.
The WebKit vulnerabilities include a consistency issue (CVE-2019-6222) that allows malicious websites to potentially access an iOS device microphone without the “microphone-in-use” indicator being shown.
Similar vulnerability (CVE-2019-8566) has been patched in Apple’s ReplayKit API that could allow a malicious application to access the iOS device’s microphone without alerting the user.
“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” Apple says in its advisory briefing the ReplayKit bug.
Apple also patched a serious logical bug (CVE-2019-8503) in WebKit that could allow malicious websites to execute scripts in the context of another site, allowing them to steal your information stored on other sites.
The advisory also revealed the existence of a critical flaw in earlier iOS versions that could lead to arbitrary code execution just by convincing victims into clicking a malicious SMS link.
The SMS vulnerability, identified as CVE-2019-8553, appears to affect iPhone 5s and later, iPad Air and later, and iPod touch 6th generation devices.
Apple has also patched a total of six vulnerabilities in iOS kernel, of which CVE-2019-8527 could allow a remote attacker to crash the system. CVE-2019-8514 could be used to elevate privileges, and rest allow malicious apps to read memory layout.
To check for the update on your iPhone or iPad, go to Settings→ General → Software Update and click the ‘Download and Install’ button.