TTCSIRT-144.071618: TT-CSIRT Advisory – Apple Security Updates

TTCSIRT-144.071618: TT-CSIRT Advisory – Apple Security Updates

Apple has released a security update stating that the following vulnerabilities have been discovered in iTunes, iCloud for Windows, Safari, macOS High Sierra, Sierra, and El Capitan, watchOS, tvOS, and iOS:

a) A cookie management issue was addressed with improved checks – (CVE-2018-4293).

b) A denial of service issue was addressed with improved memory handling – (CVE-2018-4290).

c) Multiple memory corruption issues were addressed with improved input validation – (CVE-2018-4269, CVE-2018-4271, CVE-2018-4273).

d) An information disclosure issue was addressed by removing the vulnerable code – (CVE-2018-4289).

e) An out-of-bounds read was addressed with improved input validation – (CVE-2018-4248).

f) A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation – (CVE-2018-4178).

g) A race condition was addressed with additional validation – (CVE-2018-4266).

h) Multiple inconsistent user interface issues were addressed with improved state management – (CVE-2018-4260, CVE-2018-4279).

i) Multiple memory corruption issues were addressed with improved memory handling – (CVE-2018-4261, CVE-2018-4262).

j) Multiple out-of-bounds read issues existed that led to the disclosure of kernel memory. This was addressed with improved input validation – (CVE-2018-4282, CVE-2018-4283).

k) Multiple type confusion issues were addressed with improved memory handling – (CVE-2018-4284, CVE-2018-4285).

Successful exploitation of the most severe of these vulnerabilities could result in an attacker having administrator privileges to install programs; view, change, or delete data; or create new accounts with full user rights.

Further information on these vulnerabilities and how they can mitigated can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for-arbitrary-code-execution_2018-076/