SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   OS (UNIX)  >   Apple macOS/OS X Vendors:   Apple
Apple macOS/OS X LinkPresentation, Crash Reporter, and Kernel Bugs Let Remote Users Spoof the User Interface and Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1040744
SecurityTracker URL:  http://securitytracker.com/id/1040744
CVE Reference:   CVE-2018-4187, CVE-2018-4206, CVE-2018-8897   (Links to External Site)
Updated:  May 10 2018
Original Entry Date:  Apr 24 2018
Impact:   Execution of arbitrary code via local system, Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.13.4
Description:   Three vulnerabilities were reported in Apple macOS/OS X. A local user can obtain elevated privileges on the target system. A remote user can spoof the user interface.

A remote user can send a specially crafted text message trigger a input validation flaw in the LinkPresentation component and spoof the user interface [CVE-2018-4187].

An application can trigger a memory corruption error in the Crash Reporter component to gain elevated privileges [CVE-2018-4206].

The system does not properly handle debug exceptions delivered after a stack switch operation via mov SS or pop SS instructions. During the stack switch operation, the exceptions are deferred. As a result, a local user can gain elevated privileges on the target system [CVE-2018-8897].

Ian Beer of Google Project Zero, Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Nick Peterson, Everdox Tech LLC, Andy Lutomirski, and Roman Mueller (@faker_) reported these vulnerabilities.

Impact:   A local user can obtain elevated privileges on the target system.

A remote user can spoof the user interace.

Solution:   The vendor has issued a fix (Security Update 2018-001).

The vendor advisory is available at:

https://support.apple.com/en-us/HT208742

Vendor URL:  support.apple.com/en-us/HT208742 (Links to External Site)
Cause:   Access control error, Input validation error, State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 24 2018 (Apple Issues Fix for Apple iOS) Apple macOS/OS X LinkPresentation and Crash Reporter Bugs Let Remote Users Spoof the User Interface and Local Users Gain Elevated Privileges
Apple has issued a fix for Apple iOS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC