Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/6/2018
11:30 AM
50%
50%

Apple Issues Security Fixes Across Mac, iOS

Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.

Apple has released security fixes for several vulnerabilities in Mac and iOS software. Affected services include iOS, Safari, iCloud, iTunes for Windows, tvOS, and macOS Mojave, High Sierra, and Sierra. All December patches can be installed via Software Update.

MacOS updates will arrive in Mojave 10.14.2, High Sierra security update 2018-003, and Sierra security 2018-006. They address 13 CVEs, including two for WindowServer (CVE-2018-4449 and CVE-2018-4450), one in Disk Images (CVE-2018-4465), one in Carbon Core (CVE-2018-4463), one in Intel Graphics Driver (CVE-2018-4434), and one in IOHIDFamily (CVE-2018-4427).

There are five CVEs for Kernel addressing a denial-of-service vulnerability (CVE-2018-4460), kernel memory disclosure (CVE-2018-4431), and three that would let an attacker or application elevate privileges and execute code (CVE-2018-4435, CVE-2018-4461, CVE-2018-4447).

The iOS 12.1.1 update comes with all patches for Airport, Disk Images, Kernel, Safari, and WebKit. It also fixes a vulnerability in FaceTime (CVE-2018-4430), which could let an attacker view contacts from the lock screen, and a File Provider bug (CVE-2018-4446), which could share data on the device's other applications. Other iOS-specific CVEs affect LinkPresentation (CVE-2018-4429), which could enable user interface spoofing, and Profiles (CVE-2018-4436).

Safari version 12.0.2 brings six WebKit patches addressing issues that could lead to arbitrary code execution. It also patches vulnerabilities that could lead to address bar spoofing (CVE-2018-4440) or user interface spoofing (CVE-2018-4439), or prevent users from deleting their browser histories (CVE-2018-4445).

More details on this month's patches can be found in the US-CERT advisory.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...