Apple has released the latest round of updates for its various products. They come with the usual security fixes, but also a new feature aimed at informing users about what information Apple-made apps collect about them and how that information is used.
The security fixes
Apple kas plugged a bucketload of vulnerabilities in WebKit, the layout engine software component for rendering web pages in Safari, most of which may lead to arbitrary code execution, as well as a buffer overflow bug that could allow a malicious application to elevate privileges. These fixes are included in all of the updates.
Among the other notable plugged vulnerabilities are:
- A state management issue that could allow a person with physical access to an iOS device to disable Find My iPhone without entering an iCloud password (great for thieves and finders of lost devices who are unburdened by conscience)
- A UI issue in Mail that could allow an attacker in a privileged network position to intercept the contents of S/MIME-encrypted email
- A vulnerability in the Safari login autofill feature that could allow a malicious website to exfiltrate autofilled data in Safari without explicit user interaction.
- A flaw in WindowServer that could allow an unprivileged application to log keystrokes entered into other applications even when secure input mode is enabled.
Data and privacy screens
Some of the updates – namely for iOS, tvOS and macOS – come with new information screens for Apple-made apps, which explain in a very plain language which data is collected by the app, how it’s used, with which third-parties it may be shared with, how some of this collection can be turned off, etc.
The option to view this information will appear when users open a new app for the first time.
The information can later be viewed and reviewed from the “Settings” menu of the specific apps, or via Apple’s “Our Approach to Privacy” web page.
Another change that’s been announced and will come in effect in the coming months is a revamp of Apple’s privacy controls for devices and cloud services.
The company will provide users with tools that will allow them to download a copy of all their data stored with the company, to correct personal information, temporarily deactivate their account or completely delete it.
This is a direct result of the upcoming GDPR, as it requires companies to enable EU citizens and residents to have control over their personal data and know what’s happening to it.