Today Apple released updates for core products that include iOS 12.1, Safari 12.0.1, iCloud for Windows, iTunes, watchOS 5.1, tvOS 12.1, and macOS.
Included in these security updates are numerous code execution, privilege escalations, and information disclosure vulnerabilities. Due to this, if you are the user of any of the above products, you should update them as soon as possible.
With the release of iOS 12.1, numerous fixes were released, including four fixes for FaceTime vulnerabilities. All of these vulnerabilities were discovered by Google Project Zero vulnerability researcher Natalie Silvanovich and one of them is downright creepy.
According to the Apple security notes, the CVE-2018-4367 FaceTime vulnerability would allow a remote attackers to initiate a FaceTime call from your device through a code execution vulnerabilitiy. Imagine your phone started performing FaceTime calls to random people?
BleepingComputer has reached out to Silvanovich for more information regarding this vulnerability, but had not heard back at the time of this publication.
The other three FaceTime vulnerabilities are memory corruption issues that could lead to arbitrary code execution.
Todays macOS Sierra and High Sierra update fixes a vulnerability that could allow an attacker to crash macOS High Sierra or iOS 11 devices on the same WiFi network.
This vulnerability was discovered by Kevin Backhouse and given CVE ID CVE-2018-4407. In a blog post, Backhouse has stated that the vulnerability can be triggered by sending a malicious packet to a vulnerable devices on the same WiFi Network. To make matters worse, the vulnerability is part of the core networking code and anti-virus software will not be able to protect users.
"The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel," stated Backhouse in a blog post about the vulnerability. "XNU is used by both iOS and macOS, which is why both types of devices are affected. To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device. No user interaction is required. The attacker only needs to be connected to the same network as the target device. For example, if you are using the free WiFi in a coffee shop then an attacker can join the same WiFi network and send a malicious packet to your device. (If an attacker is on the same network as you, it is easy for them to discover your device's IP address using nmap.) To make matters worse, the vulnerability is in such a fundamental part of the networking code that anti-virus software will not protect you: I tested the vulnerability on a Mac running McAfee® Endpoint Security for Mac and it made no difference. It also doesn't matter what software you are running on the device - the malicious packet will still trigger the vulnerability even if you don't have any ports open."
Backhouse posted a video demonstration of the vulnerability to Twitter:
Video of my PoC for CVE-2018-4407. It crashes any macOS High Sierra or iOS 11 device that is on the same WiFi network. No user interaction required. pic.twitter.com/tXtp7QRCp8— Kevin Backhouse (@kevin_backhouse) October 30, 2018
Below are the rest of the Apple security updates released today.
Name and information link
|Safari 12.0.1||macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14||30 Oct 2018|
|iCloud for Windows 7.8||Windows 7 and later||30 Oct 2018|
|iTunes 12.9.1||Windows 7 and later||30 Oct 2018|
|watchOS 5.1||Apple Watch Series 1 and later||30 Oct 2018|
|iOS 12.1||iPhone 5s and later, iPad Air and later, and iPod touch 6th generation||30 Oct 2018|
|tvOS 12.1||Apple TV 4K and Apple TV (4th generation)||30 Oct 2018|
|macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra||macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14||30 Oct 2018|