Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Apple Patches iOS, Safari and MacOS - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple Patches iOS, Safari and MacOS

Apple today released updated for Safari, macOS and iOS. The patches fix 4 different vulnerabilities. The most severe of the vulnerabilities affect WebKit. These vulnerablities could be exploited to execute arbitrary code if a user visits a malicous site.

Note that WebKit is also included in tvOS and watchOS. A patch release for these operating systems may be imminent and I will update this article as I see them.

Vulnerability Overview

CVE iOS MacOS/Safari Severity
CVE-2018-4200 yes yes critical
CVE-2018-4204 yes yes critical
CVE-2018-4206 yes yes important
CVE-2018-4187 yes yes important

Safari 11.1

This update patches two vulnerabilities in WebKit. This update also applies to older still supported versions of OS X / MacOS (10.11/12, El Capitan, Sierra) in addition to the latest version ( High Sierra, 10.13.4). iOS patches the same WebKit vulnerablities.

Vulnerability Impact Description CVE
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved state management. CVE-2018-4200
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved memory handling. CVE-2018-4204

MacOS Security update 2018-001 for macOS High Sierra 10.13

For MacOS High Sierra (10.13), Apple patches two vulnerabilities. One fixes a vulnerability in Crash Reporter, the second one fixes a vulnerability in how URL links are displayed.

Vulnerability Impact Description CVE
Crash Reporter An application may be able to gain elevated privileges A memory corruption issue was addressed with improved error handling. CVE-2018-4206
LinkPresentation Processing a maliciously crafted text message may lead to UI spoofing A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2018-4187

iOS 11.3.1

4 Vulnerabilities are being patched in iOS 11.3. The update applies to iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

The iOS update is essentially the sum of the macOS and Safari update.

Vulnerability Impact Description CVE
Crash Reporter An application may be able to gain elevated privileges A memory corruption issue was addressed with improved error handling. CVE-2018-4206
LinkPresentation Processing a maliciously crafted text message may lead to UI spoofing A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2018-4187
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved state management. CVE-2018-4200
WebKit Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue was addressed with improved memory handling. CVE-2018-4204

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Defending Web Applications Security Essentials - SANS Amsterdam September 2018

Johannes

3318 Posts
ISC Handler
the iOS 11.3.1 update on an iPhone 8 has been causing issues with the device freezing and getting a black screen. This is happening when opening a text message with an image. It is random in nature so be careful with this one. For this case Apple is recommending restoring from backup to 11.3
Anonymous

Sign Up for Free or Log In to start participating in the conversation!