CVE-2020-9807 – This is a memory corruption vulnerability in Ap... (How to Fix)

Q: What is the severity of CVE-2020-9807?

CVE-2020-9807 has a CVSS score of 8.8 (HIGH). This is a memory corruption vulnerability in Apple's WebKit browser engine that allows arbitrary code execution when processing malicious web content. It affects iOS, iPadOS, tvOS, watchOS, Safari, iTunes for Windows, and iCloud for Windows. Attackers can exploit this by tricking users into visiting malicious websites.

📋 TL;DR

This is a memory corruption vulnerability in Apple's WebKit browser engine that allows arbitrary code execution when processing malicious web content. It affects iOS, iPadOS, tvOS, watchOS, Safari, iTunes for Windows, and iCloud for Windows. Attackers can exploit this by tricking users into visiting malicious websites.

💻 Affected Systems

Products:

iOS
iPadOS
tvOS
watchOS
Safari
iTunes for Windows
iCloud for Windows

Versions: Versions before iOS 13.5, iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19

Operating Systems: iOS, iPadOS, tvOS, watchOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with affected software versions are vulnerable by default when processing web content through Safari or WebKit-based components.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the device, enabling data theft, surveillance, ransomware deployment, or persistence establishment.

🟠

Likely Case

Drive-by compromise where users visiting malicious websites get malware installed, leading to credential theft, data exfiltration, or device enrollment in botnets.

🟢

If Mitigated

No impact if devices are fully patched and users avoid suspicious websites; limited impact if network filtering blocks malicious domains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Memory corruption vulnerabilities in WebKit are frequently exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 13.5, iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19

Vendor Advisory: https://support.apple.com/HT211168

Restart Required: Yes

Instructions:

1. Update iOS/iPadOS: Settings > General > Software Update. 2. Update tvOS: Settings > System > Software Updates. 3. Update watchOS: iPhone Watch app > General > Software Update. 4. Update Safari: App Store > Updates. 5. Update iTunes/iCloud for Windows: Open application > Help > Check for Updates.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability

iOS/iPadOS: Settings > Safari > Advanced > JavaScript (toggle off)
Safari: Safari > Preferences > Security > Enable JavaScript (uncheck)

Use Alternative Browser

all

Switch to browsers not using WebKit engine (Chrome, Firefox on iOS)

🧯 If You Can't Patch

Deploy web filtering to block known malicious domains and suspicious JavaScript content
Implement application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check software version against affected versions list; if below patched versions, device is vulnerable.

Check Version:

iOS/iPadOS: Settings > General > About > Version; Safari: Safari > About Safari; Windows: iTunes > Help > About iTunes or iCloud > Help > About iCloud

Verify Fix Applied:

Confirm software version matches or exceeds patched versions listed in fix_official section.

📡 Detection & Monitoring

Log Indicators:

Unusual process crashes in WebKit processes
Suspicious JavaScript execution patterns in web logs
Unexpected network connections from browser processes

Network Indicators:

Connections to known malicious domains hosting exploit code
Unusual JavaScript payloads in HTTP traffic
Beaconing to command and control servers

SIEM Query:

source="web_proxy" AND (url="*malicious-domain*" OR js_content="*exploit_pattern*")

📊 Metadata

CVE ID: CVE-2020-9807

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 9, 2020

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/HT211168 Release Notes,Vendor Advisory
https://support.apple.com/HT211171 Release Notes,Vendor Advisory
https://support.apple.com/HT211175 Release Notes,Vendor Advisory
https://support.apple.com/HT211177 Release Notes,Vendor Advisory
https://support.apple.com/HT211178 Release Notes,Vendor Advisory
https://support.apple.com/HT211179 Release Notes,Vendor Advisory
https://support.apple.com/HT211181 Release Notes,Vendor Advisory
https://support.apple.com/HT211168 Release Notes,Vendor Advisory
https://support.apple.com/HT211171 Release Notes,Vendor Advisory
https://support.apple.com/HT211175 Release Notes,Vendor Advisory
https://support.apple.com/HT211177 Release Notes,Vendor Advisory
https://support.apple.com/HT211178 Release Notes,Vendor Advisory
https://support.apple.com/HT211179 Release Notes,Vendor Advisory
https://support.apple.com/HT211181 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9807, you might also want to check these: