Security News

Last week, Apple released updates to all of its operating systems. Apple released iOS 11.4, watchOS 4.3.1 and tvOS 11.4 two days prior to making available macOS High Sierra 10.13.5 and other security updates for Sierra and El Capitan. Because of the delay, Apple held back on the security release notes for the first three updates. Now that all the notes are available, let’s see what security fixes and improvements were included!

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan

For macOS High Sierra users, Apple’s latest security update addresses the following:

The macOS High Sierra 10.13.5 Update improves the stability, performance, and security of your Mac, and is recommended for all users.
This update adds support for Messages in iCloud, which lets you store messages with their attachments in iCloud and free up space on your Mac. To enable Messages in iCloud, go to Preferences in Messages, click Accounts, then select ”Enable Messages in iCloud.”
Enterprise content:

• Variables used in SCEP payloads now expand properly.
• Configuration profiles containing a Wi-Fi payload and SCEP payload install as expected when the KeyIsExtractable key of the SCEP payload is set to false.

For Sierra and El Capitan users, the updates simply mention the improvement of security and that it is recommended for all users. Of course, there is a lot more going on in these updates than the App Store mentions in its description, so let’s take a look.

Between the three OS versions, a combined 32 security related issues were addressed. Of these, 29 applied to High Sierra, 6 applied to Sierra, and 6 applied to El Capitan with most of them shared across multiple OS versions.

Mail
Available for: macOS High Sierra 10.13.4
Impact: An attacker may be able to exfiltrate the contents of S/MIME- encrypted e-mail
Description: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.
CVE-2018-4227

Security
Available for: macOS High Sierra 10.13.4
Impact: Users may be tracked by malicious websites using client certificates
Description: An issue existed in the handling of S-MIME certificaties. This issue was addressed with improved validation of S-MIME certificates.
CVE-2018-4221

You may have heard the recent news that email encryption was found to be vulnerable. An attacker could potentially read content that should be secured by encryption. The above security fix does not appear to address the same vulnerability, though. Whereas the S/MIME/PGP encryption vulnerabilities were assigned CVE numbers CVE-2017-17688 and CVE-2017-17689, Apple’s security notice mentioned patching CVE-2018-4227 and CVE-2018-4221, which do not appear to have any data publicly available. It could be related or it could be something completely different, and so certainly something to keep an eye on.

Messages
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to conduct impersonation attacks
Description: An injection issue was addressed with improved input validation.
CVE-2018-4235

Impact: Processing a maliciously crafted message may lead to a denial of service
Description: This issue was addressed with improved message validation.
CVE-2018-4240

Two welcome vulnerability fixes for Messages, most notably a fix for the “Black dot bug” that could cause a device to crash. While I have not seen this bug affect macOS, Apple saw fit to patch this across all OS versions just to be safe.

Apple also included several graphics related fixes for AMD, NVIDIA, Intel, Graphics Drivers and iOGraphics in which an application may have been able to exploit vulnerabilities to read restricted memory or execute code with root privileges.

The Kernel got some fixes as well that protect against vulnerabilities, which could lead to denial of service attacks and root code executions.

Last but not least, new firmware is included that protects your Mac from unwanted or unauthorized firmware modifications made by malicious applications.

If you want to see more details about this update, have a look here, it is a thrilling albeit rather nerdy read!

Where to obtain these updates

On a High Sierra, Sierra or El Capitan system, simply open the App Store and check the Updates tab. The updates appropriate for your system will be listed there.

If you prefer a manual download and install, here are the links to the downloads:

• macOS 10.13.5 update – For High Sierra users currently running 10.13.4
• macOS 10.13.5 combo update – For High Sierra users running 10.13 – 10.13.4
• Security Update 2018-003 (Sierra) – For all users of macOS 10.12 Sierra
• Security Update 2018-003 (El Capitan) – For all users of macOS 10.11 El Capitan

Safari 11.1.1

Safari 11.1.1 is included in the 10.13.5 update for High Sierra users, and also available as a separate download for macOS Sierra and OS X El Capitan users. A combined 13 security issues were addressed in Safari 11.1.1. According to Apple’s security notice, these issues could lead to address bar spoofing, denial of service arbitrary code execution. Two of the fixes were for the application itself and the rest were all for WebKit.

For the full list of addressed issues, have a look here.

Where to obtain this update

As mentioned, High Sierra users will find Safari 11.1.1 built into the above mentioned 10.13.5 update. Sierra and El Capitan users can grab Safari 11.1.1 by opening the App Store and visiting the Updates tab.

iOS 11.4

Not just a security update, iOS 11.4 sports a few new features and improvements, including AirPlay 2, HomePod stereo pair and Messages in iCloud. There are bug fixes as well, and you can read about all of them right here. When it comes to security, 35 issues were addressed, including the Mail S/MIME vulnerabilities mentioned earlier.

Ten of the security fixes were for WebKit, 3 for Siri and 3 for the Kernel. Other fixes included:

Contacts
Impact: Processing a maliciously crafted vcf file may lead to a denial of service
Description: A validation issue existed in the handling of phone numbers. This issue was addressed with improved validation of phone numbers.
CVE-2018-4100

iBooks
Impact: An attacker in a privileged network position may be able to spoof password prompts in iBooks
Description: An input validation issue was addressed with improved input validation.
CVE-2018-4202

UIKit
Impact: Processing a maliciously crafted text file may lead to a denial of service
Description: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.
CVE-2018-4198

For the full list of security fixes in this update, have a look here.

iOS 10.4 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

watchOS 4.3.1

Listed as an update that adds and improves the following:

• Control volume and playback on HomePod from your Apple Watch
• Restores ability to control music on iPhone
• Use any orientation for Nightstand charging mode
• Siri watch face now shows progress towards closing Activity rings and when new songs are added to Apple Music mixes
• Resolves an issue where Activity achievements were incorrectly awarded for some users
• Fixes an issue where Siri music commands were not working for some audio devices

The update also addresses 20 security related issues, many the same as those found in iOS 11.4. The full list can be seen here.

watchOS 4.3.1 is available for all Apple Watch models and can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

tvOS 11.4

About Jay Vrijenhoek