CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2018-120

DATE(S) ISSUED:

10/31/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Safari, iCloud, iTunes, watchOS, iOS, tvOS, Mojave, High Sierra, and Sierra. The most severe of these vulnerabilities could allow for arbitrary code execution.

  • Safari is a web browser available for OS X.
  • iCloud is a cloud storage service.
  • iTunes is a media player, media library, online radio broadcaster, and mobile device management application developed by Apple.
  • watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.
  • iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
  • tvOS is an operating system for the fourth-generation Apple TV digital media player.
  • Mojave is a desktop and server operating system for Macintosh computers.
  • High Sierra is a desktop and server operating system for Macintosh computers.
  • Sierra is a desktop and server operating system for Macintosh computers.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Safari versions prior to 12.0.1
  • iCloud for Windows prior to Version 7.8
  • iTunes versions prior to 12.9.1
  • watchOS versions prior to 5.1
  • iOS versions prior to 12.1
  • tvOS versions prior to 12.1
  • macOS Mojave versions prior to 10.14.1
  • macOS Sierra versions prior to 10.12.6, Security Update 2018-005
  • macOS High Sierra versions prior to 10.13.6, Security Update 2018-001

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Safari, iCloud, iTunes, watchOS, iOS, tvOS, Mojave, High Sierra, and Sierra. The most severe of these vulnerabilities could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A buffer overflow was addressed with improved size validation. (CVE-2018-4424)
  • A configuration issue was addressed with additional restrictions. (CVE-2018-4342)
  • A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. (CVE-2018-4377)
  • Denial of service issues were addressed with improved validation. (CVE-2018-4304, CVE-2018-4368, CVE-2018-4406)
  • A lock screen issue allowed access to photos via Reply With Message on a locked device. This issue was addressed with improved state management. (CVE-2018-4387)
  • A lock screen issue allowed access to the share function on a locked device. This issue was addressed by restricting options offered on a locked device. (CVE-2018-4388)
  • Logic issues were addressed with improved state management. (CVE-2018-4369, CVE-2018-4385)
  • Logic issues were addressed with improved validation. (CVE-2018-4374, CVE-2018-4423)
  • Memory corruption issues were addressed with improved input validation A memory corruption issues were addressed with improved input validation. (CVE-2018-4350, CVE-2018-4366, CVE-2018-4367, CVE-2018-4384, CVE-2018-4394, CVE-2018-4408, CVE-2018-4410, CVE-2018-4411, CVE-2018-4412)
  • Memory corruption issues were addressed with improved memory handling. (CVE-2018-4126, CVE-2018-4326, CVE-2018-4331, CVE-2018-4334, CVE-2018-4340, CVE-2018-4341, CVE-2018-4354, CVE-2018-4393, CVE-2018-4401, CVE-2018-4402, CVE-2018-4415, CVE-2018-4419, CVE-2018-4422, CVE-2018-4425, CVE-2018-4426, CVE-2018-4427, CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, CVE-2018-4291, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416)
  • Memory corruption issues were addressed with improved validation. (CVE-2018-4378, CVE-2018-4407)
  • A memory corruption issue was addressed by removing the vulnerable code. (CVE-2018-4420)
  • A memory corruption issue was addressed with improved input validation. (CVE-2018-4350, CVE-2018-4408)
  • A memory corruption vulnerability was addressed with improved locking. (CVE-2018-4242)
  • A memory initialization issue was addressed with improved memory handling. (CVE-2018-4413)
  • An access issue existed with privileged API calls. This issue was addressed with additional restrictions. (CVE-2018-4399)
  • An access issue was addressed with additional sandbox restrictions. (CVE-2018-4310)
  • Inconsistent user interface issues were addressed with improved state management. (CVE-2018-4389, CVE-2018-4390, CVE-2018-4391)
  • An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry. (CVE-2018-3646)
  • An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel. (CVE-2018-3640)
  • An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel. (CVE-2018-3639)
  • An injection issue was addressed with improved validation. (CVE-2018-4153)
  • An input validation issue was addressed with improved input validation. (CVE-2018-4295)
  • An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes. (CVE-2018-4398)
  • An out-of-bounds read was addressed with improved bounds checking. (CVE-2018-4203, CVE-2018-4308, CVE-2018-4365)
  • An out-of-bounds read was addressed with improved input validation. (CVE-2018-4371)
  • A resource exhaustion issue was addressed with improved input validation. (CVE-2018-4409)
  • A validation issue existed which allowed local file access. This was addressed with input sanitization. (CVE-2018-4346)
  • Validation issues were addressed with improved input sanitization. (CVE-2018-4396, CVE-2018-4417, CVE-2018-4418)
  • Validation issues were addressed with improved logic. (CVE-2018-4348, CVE-2018-4400)
  • Multiple issues in Perl were addressed with improved memory handling. (CVE-2017-12613, CVE-2017-12618, CVE-2018-6797)
  • Multiple issues in Ruby were addressed in this update. (CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064, CVE-2017-17405, CVE-2017-17742, CVE-2018-6914, CVE-2018-8777, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780)
  • This issue was addressed by removing additional entitlements. (CVE-2018-4403)
  • This issue was addressed with improved checks. (CVE-2018-4395)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4259 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4310 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4326 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4341 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4365 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4366 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4367 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4369 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4374 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4395 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4408 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4410 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4411 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4413 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4417 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation CIS Benchmarks and Other Tools for Related Technology Arrow Apple iOS Arrow Apple OS Arrow Safari Browser