Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Apple Patches iOS, Safari and MacOS - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple Patches iOS, Safari and MacOS

Apple today released updated for Safari, macOS and iOS. The patches fix 4 different vulnerabilities. The most severe of the vulnerabilities affect WebKit. These vulnerablities could be exploited to execute arbitrary code if a user visits a malicous site.

Note that WebKit is also included in tvOS and watchOS. A patch release for these operating systems may be imminent and I will update this article as I see them.

Vulnerability Overview

CVE iOS MacOS/Safari Severity
CVE 2018-4200 yes yes critical
CVE 2018-4204 yes yes critical
CVE 2018-4206 yes yes important
CVE 2018-4187 yes yes important

Safari 11.1

This update patches two vulnerabilities in WebKit. This update also applies to older still supported versions of OS X / MacOS (10.11/12, El Capitan, Sierra) in addition to the latest version ( High Sierra, 10.13.4). iOS patches the same WebKit vulnerablities.

Vulnerability Impact Description CVE
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved state management. CVE 2018-4200
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved memory handling. CVE 2018-4204

MacOS Security update 2018-001 for macOS High Sierra 10.13

For MacOS High Sierra (10.13), Apple patches two vulnerabilities. One fixes a vulnerability in Crash Reporter, the second one fixes a vulnerability in how URL links are displayed.

Vulnerability Impact Description CVE
Crash Reporter An application may be able to gain elevated privileges A memory corruption issue was addressed with improved error handling. CVE 2018-4206
LinkPresentation Processing a maliciously crafted text message may lead to UI spoofing A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE 2018-4187

iOS 11.3.1

4 Vulnerabilities are being patched in iOS 11.3. The update applies to iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

The iOS update is essentially the sum of the macOS and Safari update.

Vulnerability Impact Description CVE
Crash Reporter An application may be able to gain elevated privileges A memory corruption issue was addressed with improved error handling. CVE 2018-4206
LinkPresentation Processing a maliciously crafted text message may lead to UI spoofing A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE 2018-4187
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved state management. CVE 2018-4200
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved memory handling. CVE 2018-4204

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

 Johannes

3245 Posts
ISC Handler
Reply Subscribe Apr 24th 2018
4 weeks ago
the iOS 11.3.1 update on an iPhone 8 has been causing issues with the device freezing and getting a black screen. This is happening when opening a text message with an image. It is random in nature so be careful with this one. For this case Apple is recommending restoring from backup to 11.3
 Anonymous
Posts
Reply Quote Apr 25th 2018
4 weeks ago

Sign Up for Free or Log In to start participating in the conversation!