Apple Patches iOS, Safari and MacOS
Apple today released updated for Safari, macOS and iOS. The patches fix 4 different vulnerabilities. The most severe of the vulnerabilities affect WebKit. These vulnerablities could be exploited to execute arbitrary code if a user visits a malicous site.
Note that WebKit is also included in tvOS and watchOS. A patch release for these operating systems may be imminent and I will update this article as I see them.
Vulnerability Overview
| CVE | iOS | MacOS/Safari | Severity |
|---|---|---|---|
| CVE-2018-4200 | yes | yes | critical |
| CVE-2018-4204 | yes | yes | critical |
| CVE-2018-4206 | yes | yes | important |
| CVE-2018-4187 | yes | yes | important |
Safari 11.1
This update patches two vulnerabilities in WebKit. This update also applies to older still supported versions of OS X / MacOS (10.11/12, El Capitan, Sierra) in addition to the latest version ( High Sierra, 10.13.4). iOS patches the same WebKit vulnerablities.
| Vulnerability | Impact | Description | CVE |
|---|---|---|---|
| WebKit | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue was addressed with improved state management. | CVE-2018-4200 |
| WebKit | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue was addressed with improved memory handling. | CVE-2018-4204 |
MacOS Security update 2018-001 for macOS High Sierra 10.13
For MacOS High Sierra (10.13), Apple patches two vulnerabilities. One fixes a vulnerability in Crash Reporter, the second one fixes a vulnerability in how URL links are displayed.
| Vulnerability | Impact | Description | CVE |
|---|---|---|---|
| Crash Reporter | An application may be able to gain elevated privileges | A memory corruption issue was addressed with improved error handling. | CVE-2018-4206 |
| LinkPresentation | Processing a maliciously crafted text message may lead to UI spoofing | A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. | CVE-2018-4187 |
iOS 11.3.1
4 Vulnerabilities are being patched in iOS 11.3. The update applies to iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
The iOS update is essentially the sum of the macOS and Safari update.
| Vulnerability | Impact | Description | CVE |
|---|---|---|---|
| Crash Reporter | An application may be able to gain elevated privileges | A memory corruption issue was addressed with improved error handling. | CVE-2018-4206 |
| LinkPresentation | Processing a maliciously crafted text message may lead to UI spoofing | A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. | CVE-2018-4187 |
| WebKit | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue was addressed with improved state management. | CVE-2018-4200 |
| WebKit | Processing maliciously crafted web content may lead to arbitrary code execution | A memory corruption issue was addressed with improved memory handling. | CVE-2018-4204 |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|
| Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments