SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   OS (Other)  >   Apple iOS Vendors:   Apple
Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Spoof the User Interface, Remote and Local Users Bypass Security Restrictions and Obtain Potentially Sensitive Information, and Let Applications Gain Elevated Privileges
SecurityTracker Alert ID:  1040604
SecurityTracker URL:  http://securitytracker.com/id/1040604
CVE Reference:   CVE-2018-4101, CVE-2018-4104, CVE-2018-4110, CVE-2018-4113, CVE-2018-4114, CVE-2018-4115, CVE-2018-4117, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4121, CVE-2018-4122, CVE-2018-4123, CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4130, CVE-2018-4131, CVE-2018-4134, CVE-2018-4137, CVE-2018-4140, CVE-2018-4142, CVE-2018-4143, CVE-2018-4144, CVE-2018-4146, CVE-2018-4149, CVE-2018-4150, CVE-2018-4151, CVE-2018-4154, CVE-2018-4155, CVE-2018-4156, CVE-2018-4157, CVE-2018-4158, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165, CVE-2018-4166, CVE-2018-4167, CVE-2018-4168, CVE-2018-4172, CVE-2018-4174   (Links to External Site)
Date:  Mar 29 2018
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions on the target system. A remote user can spoof the user interface. A remote or local user can bypass security controls on the target system. A remote or local user can obtain potentially sensitive information on the target system. An application can obtain elevated privileges on the target system.

A remote user can trigger a memory corruption error in the WebKit component to execute arbitrary code [CVE-2018-4101, CVE-2018-4114, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4121, CVE-2018-4122, CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4130, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165].

A physically local user can trigger an access control flaw in the Clock component to view the email address used for iTunes [CVE-2018-4123].

An application can trigger a race condition in the CoreFoundation component to gain elevated privileges [CVE-2018-4155, CVE-2018-4158].

A remote user can trigger a memory handling error in the CoreText component to cause denial of service conditions [CVE-2018-4142].

An application can trigger a race condition in the File System Events component to gain elevated privileges [CVE-2018-4167].

A local user can trigger a state management flaw in the Files Widget component to view cached data when the system is locked [CVE-2018-4168].

A physically local user can trigger a state management flaw in the Find My iPhone component to disable the 'Find My iPhone' feature without entering an iCloud password [CVE-2018-4172].

An application can trigger a race condition in the iCloud Drive component to gain elevated privileges [CVE-2018-4151].

An application can trigger a memory corruption error in the the kernel component to execute arbitrary code with kernel privileges [CVE-2018-4150].

An application can trigger a input validation flaw in the the kernel component to read restricted memory [CVE-2018-4104].

An application can trigger a memory corruption error in the the kernel component to execute arbitrary code with kernel privileges [CVE-2018-4143].

A remote user in a privileged network position can trigger a user interface flaw in the Mail component to obtain the contents of S/MIME-encrypted e-mail [CVE-2018-4174].

An application can trigger a race condition in the NSURLSession component to gain elevated privileges [CVE-2018-4166].

An application can trigger a race condition in the PluginKit component to gain elevated privileges [CVE-2018-4156].

An application can trigger a race condition in the Quick Look component to gain elevated privileges [CVE-2018-4157].

A remote user can trigger a state management flaw in the Safari component to spoof the user interface [CVE-2018-4134].

A remote can trigger a state management flaw in the SafariViewController component to spoof the user interface [CVE-2018-4149].

An application can trigger a buffer overflow in the Security component to gain elevate privileges [CVE-2018-4144].

An application can trigger a race condition in the Storage component to gain elevated privileges [CVE-2018-4154].

The system may use a configuration profile that has been removed [CVE-2018-4115].

A remote user can trigger a null pointer dereference in the processing of Class 0 SMS messages in the Telephony component to cause the target system to restart [CVE-2018-4140].

A remote user can cause a cookie to persist [CVE-2018-4110].

An array indexing error in WebKit javascript core may cause an ASSERT failure to occur [CVE-2018-4113].

A remote user can trigger a memory corruption error in the WebKit component to cause denial of service conditions [CVE-2018-4146].

A remote website can trigger an input validation flaw in the WebKit component fetch API to bypass cross-origin restrictions and obtain potentially sensitive information [CVE-2018-4117].

An unprivileged application can exploit a state management flaw in the WindowServer component to log keystrokes entered into other applications when secure input mode is enabled [CVE-2018-4131].

@mjonsson, Arjan van der Oest of Voiceworks BV, Abhinash Jain (@abhinashjain), Abraham Masri (@cheesecakeufo), Andreas Hegenberg of folivora.AI GmbH, Ben Compton and Jason Colley of Cerner Corporation, Brandon Moore, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team, Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera, Jun Kokatsu (@shhnjk), Natalie Silvanovich of Google Project Zero, Omair (via Trend Micro's Zero Day Initiative), Robin Leroy of Google Switzerland GmbH,
Samuel Gros (@5aelo), the UK's National Cyber Security Centre (NCSC), Viljami Vastamaki, WanderingGlitch of Trend Micro's Zero Day Initiative, Yuan Deng of Ant-financial Light-Year Security Lab, Zach Markley, Zaheen Hafzar M M (@zaheenhafzer), an anonymous researcher, an anonymous researcher (via Trend Micro's Zero Day Initiative), derrek (@derrekr6), likemeng of Baidu Security Lab (via Trend Micro's Zero Day Initiative), xisigr of Tencent's Xuanwu Lab (tencent.com), Zhiyang Zeng (@Wester) of Tencent Security Platform Department reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause denial of service conditions.

A remote user can spoof the user interface.

A remote or local user can obtain potentially sensitive information on the target system.

A remote or local user can bypass security controls on the target system.

An application user can obtain elevated privileges on the target system.

Solution:   The vendor has issued a fix (11.3).

The vendor advisory is available at:

https://support.apple.com/en-us/HT208693

Vendor URL:  support.apple.com/en-us/HT208693 (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 30 2018 (Apple Issues Fix for Apple Safari) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Spoof the User Interface, Remote and Local Users Bypass Security Restrictions and Obtain Potentially Sensitive Information, and Let Applications Gain Elevated Privileges
Apple has issued a fix for Apple Safari.
Mar 30 2018 (Apple Issues Fix for Apple iTunes for Windows) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Spoof the User Interface, Remote and Local Users Bypass Security Restrictions and Obtain Potentially Sensitive Information, and Let Applications Gain Elevated Privileges
Apple has issued a fix for Apple iTunes for Windows.
Mar 30 2018 (Apple Issues Fix for Apple TV) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Spoof the User Interface, Remote and Local Users Bypass Security Restrictions and Obtain Potentially Sensitive Information, and Let Applications Gain Elevated Privileges
Apple has issued a fix for Apple TV.
Mar 30 2018 (Apple Issues Fix for Apple Watch) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Spoof the User Interface, Remote and Local Users Bypass Security Restrictions and Obtain Potentially Sensitive Information, and Let Applications Gain Elevated Privileges
Apple has issued a fix for Apple Watch.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC