Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple updates fix code execution, privilege escalation and spoofing issues

Apple on Tuesday released security updates for the Safari browser and its MacOS and iOS operating systems, fixing a total of four vulnerabilities.

Two of the bugs, CVE-2018-4200 and CVE-2018-4204, were found in the WebKit web browser engine used by Safari and iOS,and were described as memory corruption issues that attackers can exploit with maliciously crafted web content to execute arbitrary code.

The first of these flaws was discovered by Ivan Fratric of Google Project Zero, and ultimately repaired with improved state management. The second, found using Google's OSS-Fuzz capabilities, was reported by Richard Zhu (aka "fluorescence") in conjunction with Trend Micro's Zero Day Initiative, and was repaired with improved memory handling.

The above flaws are fixed in Safari 11.1 for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4, and in iOS version 11.3.1 for iPhone 5s and later, iPad Air and later, and the iPod touch 6th generation.

The remaining two bugs, were found in the CrashReporter and LinkPresentation features of both macOS and iOS. Apple users are protected from these flaws upon downloading macOS High Sierra 10.13.4, or iOS version 11.3.1 for iPhone 5s and later, iPad Air and later, and the iPod touch 6th generation.

Discovered by Ian Beer of Google Project Zero, the CrashReporter bug is a memory corruption issue that can allow applications to gain elevated privileges. Apple addressed the problem, designated CVE-2018-4206, via improved error handling.

The fourth and final bug, CVE-2018-4187, is a vulnerability involving the handling of URLs that could result in user interface spoofing. Reported by Tencent researcher Zhiyang Zeng (aka @Wester), as well as Roman Mueller (aka @faker_), the issue was resolved with with improved input validation.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.