Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches macOS, iOS, Safari

Apple this week released patches to address a handful of security vulnerabilities in macOS, iOS, and Safari.

Apple this week released patches to address a handful of security vulnerabilities in macOS, iOS, and Safari.

Available for macOS High Sierra 10.13.4, Security Update 2018-001 addresses two vulnerabilities impacting Crash Reporter and LinkPresentation, respectively.

The first is a memory corruption issue that could allow an application to gain elevated privileges. Tracked as CVE-2018-4206, the security flaw was reported by Ian Beer of Google Project Zero. Apple addressed the bug with improved error handling.

The tech company also resolved a spoofing issue in the handling of URLs, which could result in UI spoofing when processing a maliciously crafted text message. Tracked as CVE-2018-4187 and reported by Zhiyang Zeng, of Tencent Security Platform Department, and Roman Mueller, the issue was addressed with improved input validation.

In a blog post in March, Mueller explained that the vulnerability was introduced when Apple added QR code reading capabilities to the camera app and that it resides in the application being unable to correctly detect the hostname in a URL.

Thus, a malicious actor could craft a QR code that, when read with the camera app, would display a different hostname in the notification shown to the user compared to the domain Safari would actually access.

Both of these issues were resolved in iOS 11.3.1 as well, which is now available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Additionally, the iOS update patches two bugs in WebKit.

Both of these bugs are memory corruption issues that could lead to arbitrary code execution when processing maliciously crafted web content. To resolve these vulnerabilities, Apple improved state management and memory handling, respectively.

Advertisement. Scroll to continue reading.

The first of these bugs is tracked as CVE-2018-4200 and was found by Ivan Fratric of Google Project Zero. Tracked as CVE-2018-4204, the second issue was reported by Richard Zhu, working with Trend Micro’s Zero Day Initiative.

Now available for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS Hi
gh Sierra 10.13.4, the newly released Safari 11.1
includes patches for both WebKit vulnerabilities.

Related: Apple Patches Dozens of Vulnerabilities Across Product Lines

Related: Apple Addresses HSTS User Tracking in WebKit

Related: Apple Fixes Indian Character Crash Bug in iOS, macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.