Endpoint

12/6/2018
11:30 AM
50%
50%

Apple Issues Security Fixes Across Mac, iOS

Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.

Apple has released security fixes for several vulnerabilities in Mac and iOS software. Affected services include iOS, Safari, iCloud, iTunes for Windows, tvOS, and macOS Mojave, High Sierra, and Sierra. All December patches can be installed via Software Update.

MacOS updates will arrive in Mojave 10.14.2, High Sierra security update 2018-003, and Sierra security 2018-006. They address 13 CVEs, including two for WindowServer (CVE-2018-4449 and CVE-2018-4450), one in Disk Images (CVE-2018-4465), one in Carbon Core (CVE-2018-4463), one in Intel Graphics Driver (CVE-2018-4434), and one in IOHIDFamily (CVE-2018-4427).

There are five CVEs for Kernel addressing a denial-of-service vulnerability (CVE-2018-4460), kernel memory disclosure (CVE-2018-4431), and three that would let an attacker or application elevate privileges and execute code (CVE-2018-4435, CVE-2018-4461, CVE-2018-4447).

The iOS 12.1.1 update comes with all patches for Airport, Disk Images, Kernel, Safari, and WebKit. It also fixes a vulnerability in FaceTime (CVE-2018-4430), which could let an attacker view contacts from the lock screen, and a File Provider bug (CVE-2018-4446), which could share data on the device's other applications. Other iOS-specific CVEs affect LinkPresentation (CVE-2018-4429), which could enable user interface spoofing, and Profiles (CVE-2018-4436).

Safari version 12.0.2 brings six WebKit patches addressing issues that could lead to arbitrary code execution. It also patches vulnerabilities that could lead to address bar spoofing (CVE-2018-4440) or user interface spoofing (CVE-2018-4439), or prevent users from deleting their browser histories (CVE-2018-4445).

More details on this month's patches can be found in the US-CERT advisory.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.