iOS 12.0.1 fixes passcode bypass vulnerabilities

iOS 12.0.1 closes two security bugs discovered and reported by researcher Jose Rodriguez. Both of them allow a physically present attacker to bypass the device’s lock screen.

CVE-2018-4380 affects the VoiceOver accessibility feature that allows blind people to use iOS devices, and may allow the attacker to view photos and contacts.

CVE-2018-4379 affects the Quick Look capability, which lets people preview a variety of documents, images and other types of files even if their mail app doesn’t support those file formats, and may allow the attacker to share items.

Both bugs have been fixed by restricting options offered on a locked device running iOS.
Those who haven’t enabled the new Automatic Updates option that was incorporated in iOS 12 (but is turned off by default) are advised to implement the update manually.

Advertisements