Apple Updates Everything, Again
Apple Patch Summary
Apple released updates for all of its products. Noteworthy is the "Meltdown" patch for Siera (10.12) and El Capitan (10.11) only. Apple has released patches for this vulnerability for High Sierra (10.13) about a week ago. For iOS, CVE-2018-4100 fixes a vulnerability that was already abused in the wild as part of a DoS attack against iOS devices. As usual, the WebKit vulnerabilities are probably the most critical once as they can be exploited via Safari to execute arbitrary code. Full details from Apple can be found here. On ouir Slack channel, there was a report that the OS X patches may cause systems to fail if Carbon Black Response is installed. Please let us know if you are running this product and if you had issues.
Component | CVE | MacOS/OS X | iOS | watchOS | tvOS |
---|---|---|---|---|---|
Core Bluetooth | CVE-2018-4095 | X | X | X | |
Security | CVE-2018-4086 | X | X | X | X |
QuartzCore | CVE-2018-4085 | X | X | X | X |
curl | CVE-2017-8817 | X | |||
Audio | CVE-2018-4094 | X | X | X | X |
Kernel | CVE-2017-5754 (Meltdown) | X | |||
Kernel | CVE-2018-4097 | X | |||
LinkPresentation | CVE-2018-4100 | X | X | X | |
Kernel | CVE-2018-4090 | X | X | X | X |
Core Bluetooth | CVE-2018-4087 | X | X | X | |
IOHIDFamily | CVE-2018-4098 | X | |||
WebKit | CVE-2018-4088 | X | X | X | X |
WebKit | CVE-2018-4089 | X | X | X | |
Kernel | CVE-2018-4082 | X | X | X | X |
Wi-Fi | CVE-2018-4084 | X | |||
Kernel | CVE-2018-4093 | X | X | X | X |
Sandbox | CVE-2018-4091 | X | |||
Kernel | CVE-2018-4092 | X | X | X | X |
WebKit | CVE-2018-4096 | X | X | X | X |
MacOS 10.13.3
Component | Impact | Description | CVE(s) |
---|---|---|---|
Audio | Processing a maliciously crafted audio file may lead to arbitrary code execution | A memory corruption issue was addressed through improved input validation. | CVE-2018-4094 |
Core Bluetooth | An application may be able to execute arbitrary code with system privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2018-4087,CVE-2018-4095 |
Kernel | An application may be able to read restricted memory | A memory initialization issue was addressed through improved memory handling. | CVE-2018-4090 |
Kernel | An application may be able to read restricted memory | A race condition was addressed through improved locking. | CVE-2018-4092 |
Kernel | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed through improved input validation. | CVE-2018-4082 |
Kernel | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2018-4093 |
LinkPresentation | Processing a maliciously crafted text message may lead to application denial of service | A resource exhaustion issue was addressed through improved input validation. | CVE-2018-4100 |
QuartzCore | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. | CVE-2018-4085 |
Security | A certificate may have name constraints applied incorrectly | A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. | CVE-2018-4086 |
Wi-Fi | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2018-4084 |
iOS 11.2.5
Component | Impact | Description | CVEs |
---|---|---|---|
Audio | Processing a maliciously crafted audio file may lead to arbitrary code execution | A memory corruption issue was addressed through improved input validation. | CVE-2018-4094 |
Core Bluetooth | An application may be able to execute arbitrary code with system privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2018-4087,CVE-2018-4095 |
Kernel | An application may be able to read restricted memory | A memory initialization issue was addressed through improved memory handling. | CVE-2018-4090 |
Kernel | An application may be able to read restricted memory | A race condition was addressed through improved locking. | CVE-2018-4092 |
Kernel | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed through improved input validation. | CVE-2018-4082 |
Kernel | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2018-4093 |
LinkPresentation | Processing a maliciously crafted text message may lead to application denial of service | A resource exhaustion issue was addressed through improved input validation. | CVE-2018-4100 |
QuartzCore | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. | CVE-2018-4085 |
Security | A certificate may have name constraints applied incorrectly | A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. | CVE-2018-4086 |
WebKit | Processing maliciously crafted web content may lead to arbitrary code execution | Multiple memory corruption issues were addressed with improved memory handling. | CVE-2018-4088,CVE-2018-4089,CVE-2018-4096 |
watchOS 4.2.2
Component | Models | Impact | Description | CVEs |
---|---|---|---|---|
Audio | All Apple Watch models | Processing a maliciously crafted audio file may lead to arbitrary code execution | A memory corruption issue was addressed through improved input validation. | CVE-2018-4094 |
Core Bluetooth | All Apple Watch models | An application may be able to execute arbitrary code with system privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2018-4087,CVE-2018-4095 |
Kernel | All Apple Watch models | An application may be able to read restricted memory | A memory initialization issue was addressed through improved memory handling. | CVE-2018-4090 |
Kernel | All Apple Watch models | An application may be able to read restricted memory | A race condition was addressed through improved locking. | CVE-2018-4092 |
Kernel | All Apple Watch models | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed through improved input validation. | CVE-2018-4082 |
Kernel | All Apple Watch models | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2018-4093 |
LinkPresentation | All Apple Watch models | Processing a maliciously crafted text message may lead to application denial of service | A resource exhaustion issue was addressed through improved input validation. | CVE-2018-4100 |
QuartzCore | All Apple Watch models | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. | CVE-2018-4085 |
Security | All Apple Watch models | A certificate may have name constraints applied incorrectly | A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. | CVE-2018-4086 |
WebKit | All Apple Watch models | Processing maliciously crafted web content may lead to arbitrary code execution | Multiple memory corruption issues were addressed with improved memory handling. | CVE-2018-4088,CVE-2018-4096 |
tvOS 11.2.5
Component | Impact | Description | CVEs |
---|---|---|---|
Audio | Processing a maliciously crafted audio file may lead to arbitrary code execution | A memory corruption issue was addressed through improved input validation. | CVE-2018-4094 |
Core Bluetooth | An application may be able to execute arbitrary code with system privileges | A memory corruption issue was addressed with improved memory handling. | CVE-2018-4087,CVE-2018-4095 |
Kernel | An application may be able to read restricted memory | A memory initialization issue was addressed through improved memory handling. | CVE-2018-4090 |
Kernel | An application may be able to read restricted memory | A race condition was addressed through improved locking. | CVE-2018-4092 |
Kernel | A malicious application may be able to execute arbitrary code with kernel privileges | A memory corruption issue was addressed through improved input validation. | CVE-2018-4082 |
Kernel | An application may be able to read restricted memory | A validation issue was addressed with improved input sanitization. | CVE-2018-4093 |
QuartzCore | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. | CVE-2018-4085 |
Security | A certificate may have name constraints applied incorrectly | A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. | CVE-2018-4086 |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|
Life after GDPR: Implications for Cybersecurity
It’s not much discussed in the United States, but the EU’s landmark General Data Privacy Regulation will soon become the law that governs how data must be protected, stored, and processed for European citizens. This, of course, has great effect for those organizations doing business in Europe but it has had and will have a myriad of side-effects that we’ll be dealing with for years to come. This is especially true for cybersecurity professionals and those who investigate crime on the internet.
For almost 2 years, debate has gone on at an ICANN working group on the future of Whois, the protocol that allows anyone to see registrant information for any domain on the internet (unless otherwise protected). Whois has been under fire from time to time by privacy activists and data protection authorities and now that conflict has reached a boiling point over GDPR. On the one hand, in a subset of cases personal information (unless you buy privacy protection) is published with phone numbers, emails, and mailing addresses. On the other hand, security investigators, researchers, and data scientists use this data in a variety of ways to find malicious domains and protect their constituents.
The debate at times has been heated with a registrar infamously calling anti-spam groups “blackhats” but after spending months in this group, it’s pretty clear that free and meaningful access to full whois data is going away. So the question becomes, now what? And what does this mean for other forms of data useful for threat research?
Whois, and certainly the commercial services built on top of that data, are useful for correlating malicious activity. During the French Presidential campaign (and the upcoming midterm elections in the United States), it is possible to find other domains with the same registrant details to identify multiple resources used by the adversary. It makes it possible to identify if domains are owned by who they purport to be, or provide essential contact information to resolve problems.
One of the problems I have, from time to time, is how to contact victims when I see their resources are compromised as often they won’t list data on their website. Whois data can, of course, be wrong… but even in those situations it is useful.
Luckily, for the broader class of threat data, it seems others are taking a more nuanced approach. This guide from the MISP Project talks about the implications in detail and points out recital 49 of GDPR encourages these kinds of sharing arrangements to continue.
If Whois does go away, how will it impact your organization and what plans do you have to accommodate those needs if it does?
--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago