Image Source: wikimedia.org

Apple released a set of security updates for its products this month. There are ten products which received the updates including Apple’s new brain child, MacOS Mojave which was newly launched in September. This update addresses a set of 26 vulnerabilities. And, the products listed under this update are macOS Mojave 10.14.2, Security Update 2018-003 High Sierra, Security Update 2018-006 Sierra, iCloud, Safari, iTunestvOSiOS, watchOS 5.1.2Shortcuts 2.1.2 for iOS.

A good 13 CVEs out of 26 could lead to Arbitrary Code Execution. Three interesting CVEs: CVE-2018-4446, CVE-2018-4303 and CVE-2018-4435, aid malicious applications running on the system to elevate privileges and gather information about other applications running on the system.


In the limelight: Mojave

The second set of updates for Mojave are considered important as they are said to improve the performance, compatibility, stability and the security. Eleven vulnerabilities were reported for MacOS. Five CVEs: CVE-2018-4303, CVE-2018-4463, CVE-2018-4434, CVE-2018-4460, and CVE-2018-4461 are unique to Mojave, out of which three are rated Critical for Arbitrary Code Execution and restricted kernel memory access. Also, these updates are believed to have addressed the issues with wifi and battery drain that were reported by customers last month.


Critical Vulnerabilities

Six CVEs are rated critical and have memory corruption issues. The first four CVEs listed lead to Arbitrary Code Execution with Kernel Privileges,

  1. CVE-2018-4427 lists a flaw in the IOHIDFamily of macOS Sierra 10.12.6, macOS High Sierra 10.13.6 which leads to privilege escalation and a flaw in the Disk Images of  tvOS(Apple TV 4K and Apple TV (4th generation)) and watchOS(Apple Watch Series 1 and later).
  2. CVE-2018-4447 was published by Juwei Lin and Zhengyu Dong with TrendMicro. It lists a flaw in the Kernel for watchOS(Apple Watch Series 1 and later), macOS(macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.1), tvOS(Apple TV 4K and Apple TV (4th generation)) and iOS( iPhone 5s and later, iPad Air and later, and iPod touch 6th generation).
  3. CVE-2018-4461 was disclosed by Ian Beer with Google Project Zero. It lists a flaw in the Kernel for watchOS(Apple Watch Series 1 and later), macOS(macOS Mojave 10.14.1), tvOS(Apple TV 4K and Apple TV (4th generation))and iOS(iPhone 5s and later, iPad Air and later, and iPod touch 6th generation).
  4. CVE-2018-4465 was published with Pangu Team. It lists a flaw in the Disk Images for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.1. and iOS( iPhone 5s and later, iPad Air and later, and iPod touch 6th generation).
  5.  CVE-2018-4463 was disclosed by Maksymilian Arciemowicz with CXsecurity and lists a flaw in the Carbon Core of macOS Mojave 10.14.1 leads to Arbitrary Code Execution with System Privileges. 
  6.  CVE-2018-4434 was disclosed by Zhuo Liang with Qihoo 360 and lists a flaw in the Intel Graphics Driver of macOS Mojave 10.14.1 allows a local user to read kernel memory and terminate the system abruptly.

Apple Security Updates Summary :

  • Product : macOS Mojave 10.14.2, Security Update 2018-003 High Sierra, and Security Update 2018-006 Sierra
  • Affected features  Airport, AMD, Carbon Core, Disk Images, Intel Graphics Driver, IOHID Family, Kernel, WindowServer
  • Impact : Arbitrary Code Execution, Privilege Escalation, Denial of Service,
  • CVE: CVE-2018-4303, CVE-2018-4462, CVE-2018-4463, CVE-2018-4465, CVE-2018-4434, CVE-2018-4427, CVE-2018-4460, CVE-2018-4431, CVE-2018-4447, CVE-2018-4435, CVE-2018-4461, CVE-2018-4449, CVE-2018-4450.

  • Product : iCloud 7.9
  • Affected OS : Windows 7 and later
  • Affected features : Safari, WebKit
  • Impact: Arbitrary Code Execution, Address bar spoofing, User interface spoofing
  • CVE : CVE-2018-4440, CVE-2018-4439, CVE-2018-4437, CVE-2018-4464, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438

  • Product : Safari 12.0.2
  • Affected OS : macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.1
  • Affected features : Safari, WebKit
  • Impact : Arbitrary Code Execution, Address bar spoofing, User interface spoofing
  • CVE : CVE-2018-4440, CVE-2018-4439, CVE-2018-4445, CVE-2018-4437, CVE-2018-4464, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438

  • Product : iTunes 12.9.2
  • Affected OS : Windows 7 and later
  • Affected features : Safari, WebKit
  • Impact : Arbitrary Code Execution, Address bar spoofing, User interface spoofing
  • CVE : CVE-2018-4440, CVE-2018-4439, CVE-2018-4437, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438

  • Product : tvOS 12.1.1
  • Affected features : Airport, Disk Images, Kernel, Profiles, WebKit
  • Impact : Arbitrary Code Execution, Privilege Escalation, Denial of Service
  • CVE : CVE-2018-4303, CVE-2018-4427, CVE-2018-4460, CVE-2018-4431, CVE-2018-4435, CVE-2018-4447, CVE-2018-4461, CVE-2018-4436, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438, CVE-2018-4437, CVE-2018-4464

  • Product : iOS 12.1.1
  • Affected features : Airport, Disk Images, FaceTime, File Provider, Kernel, LinkPresentation, Profiles, Safari, WebKit
  • Impact : Arbitrary Code Execution, Address bar spoofing, User interface spoofing
  • CVE : CVE-2018-4303, CVE-2018-4465, CVE-2018-4430, CVE-2018-4446, CVE-2018-4460, CVE-2018-4431, CVE-2018-4435, CVE-2018-4447, CVE-2018-4461, CVE-2018-4429, CVE-2018-4436, CVE-2018-4439, CVE-2018-4440, CVE-2018-4445, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438, CVE-2018-4437, CVE-2018-4464

  • Product : watchOS 5.1.2
  • Affected features Airport, Disk Images, Kernel, LinkPresentation, Profiles,WebKit
  • Impact : Arbitrary Code Execution, Privilege Escalation, User interface spoofing
  • CVECVE-2018-4303, CVE-2018-4427, CVE-2018-4460, CVE-2018-4431, CVE-2018-4447, CVE-2018-4435, CVE-2018-4461, CVE-2018-4429, CVE-2018-4436, CVE-2018-4437, CVE-2018-4464, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.


Summary
Apple Security Updates - December 2018
Article Name
Apple Security Updates - December 2018
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>