Apple has released iOS 11.3.1, Safari 11.1, and Security Update 2018-001 (available for macOS High Sierra 10.13.4). These software updates fix a handful of vulnerabilities, including macOS High Sierra and iOS 11’s camera app QR code flaw.
Following are the most important details about each security update, and how or where to download the software.
The primary focus of iOS 11.3.1 and Security Update 2018-001 is on the following vulnerabilities:
Crash Reporter
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved error handling.
CVE-2018-4206: Ian Beer of Google Project ZeroLinkPresentation
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)
We mentioned the name Roman Mueller a few weeks back, in a story describing his discovery of a QR Code vulnerability in iOS 11’s camera app. Despite this flaw existing for nearly four months, known as CVE-2018-4187, Apple has finally come around to patching the vulnerability in iOS and macOS High Sierra.
iOS 11.3.1 also includes a few fixes for WebKit vulnerabilities and addresses a screen replacement issue in which touch input would become unresponsive on some iPhone 8 devices, because they were serviced with non-genuine replacement displays.
iOS 11.3.1 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. You can download the update over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.
Security Update 2018-001 is available for any Mac running macOS High Sierra 10.13.4. You can download Security Update 2018-001 from the App Store under the Updates tab. You can also choose to download and install macOS High Sierra 10.13.4 and Security Update 2018-001 directly from Apple.com:
Safari 11.1 is an update available for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4. The update fixes two WebKit vulnerabilities, the same two that are part of iOS 11.3.1, namely:
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2018-4200: Ivan Fratric of Google Project ZeroImpact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4204: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative, found by OSS-Fuzz
Safari 11.1 is included in Security Update 2018-001 for High Sierra 10.13.4 users, and also available as a separate download for Sierra and El Capitan users from the App Store under the Updates tab.
As always, make sure to backup your Mac and iOS device before installing any updates. After backing up your data, install these updates as soon as you can to ensure protection from exploits that may leverage these known vulnerabilities. Backing up your Mac is a breeze with Time Machine or Intego Personal Backup, and backing up your iOS device can be done easily as well.
In addition to the above mentioned software updates, Apple also updated its Malware Removal Tool (MRT.app) to version 1.32, adding detection for Trojan OSX/Snake.A.