SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Other)  >   Apple iOS Vendors:   Apple
(Apple Issues Fix for Apple iOS) Apple iTunes for Windows Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information and Execute Arbitrary Code
SecurityTracker Alert ID:  1041712
SecurityTracker URL:  http://securitytracker.com/id/1041712
CVE Reference:   CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4311, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4345, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361   (Links to External Site)
Date:  Sep 25 2018
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Apple iTunes for Windows. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can obtain potentially sensitive information on the target system. Apple iOS is affected.

A remote user can create specially crafted content that, when loaded by the target user, will trigger an ASSERT failure and potentially execute arbitrary code on the target user's system [CVE-2018-4191, CVE-2018-4361].

A remote user can trigger a cross-origin bypass in the WebKit component to determine the target frame's origin [CVE-2018-4311].

A remote user can trigger a memory corruption error in the WebKit component to execute arbitrary code [CVE-2018-4299, CVE-2018-4316, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359].

A remote user can trigger a cross-origin bypass in the WebKit component in the processing of 'iframe' elements [CVE-2018-4319].

A remote website can trigger a cross-site scripting error in Safari [CVE-2018-4309, CVE-2018-4345].

A remote user can trigger a use-after-free memory error in the WebKit component to execute arbitrary code [CVE-2018-4197, CVE-2018-4306, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4317, CVE-2018-4318].

@phoenhex team (@bkth_ @5aelo @_niklasb) (via Trend Micro's Zero Day Initiative), Erling Alf Ellingsen (@steike), Ivan Fratric of Google Project Zero, John Pettitt of Google, Samuel Gross (@5aelo) (via Trend Micro's Zero Day Initiative), an anonymous researcher, an anonymous researcher (via Trend Micro's Zero Day Initiative), crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team, and OSS-Fuzz reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   Apple has issued a fix for Apple iOS (12.0).

The Apple advisory is available at:

https://support.apple.com/kb/HT209106

Vendor URL:  support.apple.com/kb/HT209106 (Links to External Site)
Cause:   Access control error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Sep 25 2018 Apple iTunes for Windows Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information and Execute Arbitrary Code



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC