Twenty Year Anniversary

Apple Security Advisory 2018-3-29-2

Apple Security Advisory 2018-3-29-2
Posted Mar 30, 2018
Authored by Apple | Site apple.com

Apple Security Advisory 2018-3-29-2 - watchOS 4.3 is now available and addresses buffer overflow, code execution, and denial of service vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability, code execution
systems | apple
advisories | CVE-2018-4104, CVE-2018-4113, CVE-2018-4114, CVE-2018-4115, CVE-2018-4117, CVE-2018-4121, CVE-2018-4122, CVE-2018-4125, CVE-2018-4129, CVE-2018-4142, CVE-2018-4143, CVE-2018-4144, CVE-2018-4146, CVE-2018-4150, CVE-2018-4155, CVE-2018-4157, CVE-2018-4158, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4166, CVE-2018-4167
MD5 | 296e3f458cbf5f44d50ba3eb77b4d1e5

Apple Security Advisory 2018-3-29-2

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2018-3-29-2 watchOS 4.3

watchOS 4.3 is now available and addresses the following:

CoreFoundation
Available for: All Apple Watch models
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4155: Samuel GroA (@5aelo)
CVE-2018-4158: Samuel GroA (@5aelo)

CoreText
Available for: All Apple Watch models
Impact: Processing a maliciously crafted string may lead to a denial
of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2018-4142: Robin Leroy of Google Switzerland GmbH

File System Events
Available for: All Apple Watch models
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4167: Samuel GroA (@5aelo)

Kernel
Available for: All Apple Watch models
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4150: an anonymous researcher

Kernel
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4104: The UK's National Cyber Security Centre (NCSC)

Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4143: derrek (@derrekr6)

NSURLSession
Available for: All Apple Watch models
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4166: Samuel GroA (@5aelo)

Quick Look
Available for: All Apple Watch models
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional
validation.
CVE-2018-4157: Samuel GroA (@5aelo)

Security
Available for: All Apple Watch models
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2018-4144: Abraham Masri (@cheesecakeufo)

System Preferences
Available for: All Apple Watch models
Impact: A configuration profile may incorrectly remain in effect
after removal
Description: An issue existed in CFPreferences. This issue was
addressed through improved preferences cleanup.
CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of
Wandera

WebKit
Available for: All Apple Watch models
Impact: Unexpected interaction with indexing types causing an ASSERT
failure
Description: An array indexing issue existed in the handling of a
function in javascript core. This issue was addressed through
improved checks.
CVE-2018-4113: found by OSS-Fuzz

WebKit
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may lead to a
denial of service
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2018-4146: found by OSS-Fuzz

WebKit
Available for: All Apple Watch models
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2018-4114: found by OSS-Fuzz
CVE-2018-4121: Natalie Silvanovich of Google Project Zero
CVE-2018-4122: WanderingGlitch of Trend Micro's Zero Day Initiative
CVE-2018-4125: WanderingGlitch of Trend Micro's Zero Day Initiative
CVE-2018-4129: likemeng of Baidu Security Lab working with Trend
Micro's Zero Day Initiative
CVE-2018-4161: WanderingGlitch of Trend Micro's Zero Day Initiative
CVE-2018-4162: WanderingGlitch of Trend Micro's Zero Day Initiative
CVE-2018-4163: WanderingGlitch of Trend Micro's Zero Day Initiative

WebKit
Available for: All Apple Watch models
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with the fetch API. This
was addressed through improved input validation.
CVE-2018-4117: an anonymous researcher, an anonymous researcher

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlq9GlspHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEZhfA//
QhXriKk82GO1fdVRi/k9EQEVNpin8cU62yjgBF3nLEoZeLKRkaZMLsoEzBZ/sOtY
v4VEJzRFcrVbDmmFtrA1ECEHe3w7tEydO9CjQsfesZ6TZRSO08ZD5fwE1Q0Jzqq7
43Dlt9/9Y+Fai48wYatj6yKfrjsF1yTnRr83M3C9mrbNJGgZ7yQeMyZ2iu+NcSry
XnsK5xoESTH3dmc9+3MCj7h8Fw5MYaWCLPD/jS7iTQDJ9tpJhB+Rw0Z6cQxBNvYn
/Sd3XiGvg0aOf3VJW/uodQFEBbBt9V2huCMsaKCLdcdTU+xZ6agmAQ9O5a/rpebP
Qa844Ug+CjHT3p8UdldRO/RTjtWhO4s1n/eK1uaJUajqv557qJni+c3GNYtjIk/U
TMb+5A7y5f3mVLIgEXaKiK8LwfXPKFXgXIWQk/Nsxda2fYHFupAm54uDx3flor2Z
ec7/7yyE7hQJ3BdalRMOTRz8+ZTKN+YZcnls6XstNWp2w+vhqj8Uo16RQG7ga5Uw
+tKm/eUe5AdHtjqFzcSfmOrS7XHXEjvqCTCDLIyoP3eWaxsxdfsN3oKOCpjRbYqU
jGZjPUVxBzx+/evM1irbtlF4GHXuGdryDvbtFMt2l7t5/gnvsZkrt0Ij93XEC79i
ARG0K0zkbtxBQF7qrn2cu/5e+LC217rBLtgO5HpxNEU=
=FEXo
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    3 Files
  • 19
    Aug 19th
    3 Files
  • 20
    Aug 20th
    21 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close