Apple releases iOS 18 over 30 security updates, two critical

Apple's latest update, iOS 18 and iPadOS 18, addresses multiple vulnerabilities across various components, improving the security and privacy of supported devices.

These updates are available for devices ranging from the iPhone XS to the iPad mini 5th generation and later.

Accessibility

1. CVE-2024-40840 (CVSS score 4.6): An attacker with physical access may use Siri to access sensitive user data

2. CVE-2024-40830 (CVSS score 3.3): An app could enumerate installed apps.

3. CVE-2024-44171 (CVSS score 8.1): An attacker with physical access to a locked device could control nearby devices via accessibility features.

4. CVE-2024-40852 (CVSS score 7.5): Recent photos could be accessed without authentication in Assistive Access.

Cellular

5. CVE-2024-27874 (CVSS score 7.5): A remote attacker could cause a denial-of-service.

Compression

6. CVE-2024-27876 (CVSS score 4.7): Unpacking a maliciously crafted archive could allow arbitrary file writing.

Control Center

7. CVE-2024-27869 (CVSS score 7.5): An app might record the screen without an indicator.

Core Bluetooth

8. CVE-2024-44124 (CVSS score 7.5): A malicious Bluetooth input device could bypass pairing.

FileProvider

9. CVE-2024-44131 (CVSS score 5.5): An app could access sensitive user data.

Game Center

10. CVE-2024-40850: (CVSS score 5.5) An app could access user-sensitive data.

ImageIO

11. CVE-2024-27880 (CVSS score 7.1): Processing a malicious file could cause unexpected app termination.

12. CVE-2024-44176 (CVSS score 5.5): Processing an image could lead to a denial-of-service.

IOSurfaceAccelerator

13. CVE-2024-44169 (CVSS score 8.1): An app might cause unexpected system termination.

Kernel

14. CVE-2024-44165 (CVSS score 5.5): Network traffic could leak outside a VPN tunnel.

15. CVE-2024-44191 (CVSS score 9.1): An app could gain unauthorized access to Bluetooth.

libxml2

16. CVE-2024-44198 (CVSS score 8.1): Processing malicious web content could lead to unexpected process crashes.

Mail Accounts

17. CVE-2024-40791 (CVSS score 3.3): An app could access a user's contact information.

mDNSResponder

18. CVE-2024-44183 (CVSS score 5.5): An app could cause a denial-of-service.

Model I/O

19. CVE-2023-5841 (CVSS score 9.1): Processing a malicious image could lead to a denial-of-service.

NetworkExtension

20. CVE-2024-44147 (CVSS score 7.7): An app might gain unauthorized access to the local network.

Notes

21. CVE-2024-44167 (CVSS score 8.1): An app could overwrite arbitrary files.

Printing

22. CVE-2024-40826 (CVSS score 7.5): An unencrypted document might be written to a temporary file during print preview.

Safari Private Browsing

23. CVE-2024-44202, CVE-2024-44127 (both CVSS score 5.3): Private Browsing tabs could be accessed without authentication.

Sandbox

24. CVE-2024-40863 (CVSS score 5.5): An app could leak sensitive user information.

Siri

25. CVE-2024-44139, CVE-2024-44180 (CVSS score 2.4): An attacker could access contacts from the lock screen or access sensitive data.

Transparency

26. CVE-2024-44184 (CVSS score 5.5): An app might access user-sensitive data due to a permissions issue.

UIKit

27. CVE-2024-27879 (CVSS score 7.5): An attacker could cause unexpected app termination.

WebKit

28. CVE-2024-40857, CVE-2024-44187 (CVSS score 6.5): Maliciously crafted web content could lead to universal cross-site scripting or data exfiltration.

Wi-Fi

29. CVE-2024-40856 (CVSS score 7.5): An attacker could force a device to disconnect from a secure network.

Users are advised to wait a couple of days for a possible reports of issues on the new OS. Then update their devices.