TTCSIRT-178.110518: TT-CSIRT Advisory – Apple Security Updates

Apple has a released a security update stating that it has fixed the following vulnerabilities in Safari, iCloud, iTunes, watchOS, iOS, tvOS, Mojave, High Sierra and Sierra:

a) A buffer overflow was addressed with improved size validation – (CVE-2018-4424).

b) A configuration issue was addressed with additional restrictions – (CVE-2018-4342).

c) A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation – (CVE-2018-4377).

d) Denial of service issues were addressed with improved validation – (CVE-2018-4304, CVE-2018-4368, CVE-2018-4406).

e) A lock screen issue allowed access to photos via Reply With Message on a locked device. This issue was addressed with improved state management – (CVE-2018-4387).

f) A lock screen issue allowed access to the share function on a locked device. This issue was addressed by restricting options offered on a locked device – (CVE-2018-4388).

g) Logic issues were addressed with improved state management – (CVE-2018-4369, CVE-2018-4385).

h) Logic issues were addressed with improved validation – (CVE-2018-4374, CVE-2018-4423).

j) An input validation issue was addressed with improved input validation – (CVE-2018-4295).

k) An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes – (CVE-2018-4398).

l) An out-of-bounds read was addressed with improved bounds checking – (CVE-2018-4203, CVE-2018-4308, CVE-2018-4365).

m) An out-of-bounds read was addressed with improved input validation – (CVE-2018-4371).

n) A resource exhaustion issue was addressed with improved input validation – (CVE-2018-4409).

o) A validation issue existed which allowed local file access. This was addressed with input sanitization – (CVE-2018-4346).

p) Validation issues were addressed with improved input sanitization – (CVE-2018-4396, CVE-2018-4417, CVE-2018-4418).