Apple this week released patches to address a handful of security vulnerabilities in macOS, iOS, and Safari.
Available for macOS High Sierra 10.13.4, Security Update 2018-001 addresses two vulnerabilities impacting Crash Reporter and LinkPresentation, respectively.
The first is a memory corruption issue that could allow an application to gain elevated privileges. Tracked as CVE-2018-4206, the security flaw was reported by Ian Beer of Google Project Zero. Apple addressed the bug with improved error handling.
The tech company also resolved a spoofing issue in the handling of URLs, which could result in UI spoofing when processing a maliciously crafted text message. Tracked as CVE-2018-4187 and reported by Zhiyang Zeng, of Tencent Security Platform Department, and Roman Mueller, the issue was addressed with improved input validation.
In a blog post in March, Mueller explained that the vulnerability was introduced when Apple added QR code reading capabilities to the camera app and that it resides in the application being unable to correctly detect the hostname in a URL.
Thus, a malicious actor could craft a QR code that, when read with the camera app, would display a different hostname in the notification shown to the user compared to the domain Safari would actually access.
Both of these issues were resolved in iOS 11.3.1 as well, which is now available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Additionally, the iOS update patches two bugs in WebKit.
Both of these bugs are memory corruption issues that could lead to arbitrary code execution when processing maliciously crafted web content. To resolve these vulnerabilities, Apple improved state management and memory handling, respectively.
The first of these bugs is tracked as CVE-2018-4200 and was found by Ivan Fratric of Google Project Zero. Tracked as CVE-2018-4204, the second issue was reported by Richard Zhu, working with Trend Micro’s Zero Day Initiative.
Now available for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS Hi
gh Sierra 10.13.4, the newly released Safari 11.1 includes patches for both WebKit vulnerabilities.
Related: Apple Patches Dozens of Vulnerabilities Across Product Lines
Related: Apple Addresses HSTS User Tracking in WebKit
Related: Apple Fixes Indian Character Crash Bug in iOS, macOS
More from Ionut Arghire
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
- Chrome 114 Released With 18 Security Fixes
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
