Apple Releases macOS 10.13.6 and iOS 11.4.1 Security Updates

Apple improves iOS security with USB Restricted Mode and hardens macOS against a new class of meltdown and spectre CPU vulnerabilities.

Apple

Apple released a series of updates for its desktop and mobile operating systems on July 9, providing users with multiple updates for security issues. Among the updated operating systems are iOS 11.4.1, watchOS 4.3.2, tvOS 11.4.1 and macOS High Sierra 10.13.6

The iOS 11.4.1 adds a a feature called USB Restricted Mode, which aims to make it more difficult to get un-authorized access to an iPhone. With USB Restricted Mode, a user can block USB devices from connecting to an iPhone, when the device has been locked for more than an hour. USB devices have been used in the past to help both attackers and law enforcement to gain access to locked iPhones.

With macOS 10.13.6, Apple is providing a patch for a Meltdown and Spectre CPU variant known as Lazy FP restore, identified as CVE-2018-3665, which was first publicly disclosed on June 18. 

"Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel," Apple warned in its macOS advisory.

The macOS 10.13.6 update also benefits from a pair of issues that were disclosed to Apple via Trend Micro's Zero Day Initiative (ZDI). Among the issues disclosed to Apple by ZDI researchers is CVE-2018-4268, which is a memory corruption issue in the APFS (Apple File System) library that could have led to arbitrary code execution. CVE-2018-4283 which was also reported by ZDI, is an out-of bounds memory read issue in the IOGraphics component that could have potentially enabled an attacker to read kernel memory.

Reading restricted memory is a particularly impactful type of flaw and is also addressed in updates (CVE-2018-4280, CVE-2018-4282) to the libxpc library which provides interprocess communication capabilities to both iOS and macOS.

"A malicious application may be able to read restricted memory," Apple warned in its CVE-2018-4248 advisory. 

Malicious Links

A common problem across any operating system is the risk of a user clicking on a malicious link. The CVE-2018-4277 vulnerability which was reported to Apple by Tencent's Xuanwu Lab, involves the LinkPresentation library in both iOS and macOS, which helps to display links. Tencent discovered that simply by visiting a malicious website, the LinkPresentation component can be manipulated, leading to address bar spoofing that will display a different URL than the address the user actually intended to visit.

"A spoofing issue existed in the handling of URLs," Apple warned in its advisory. "This issue was addressed with improved input validation."

Malicious Emoji

One of the more unique flaws that Apple is fixing in the iOS 11.4.1 update involves its' emoji library. Patrick Wardle of Digita Security reported the CVE-2018-4290 vulnerability in Apple's emoji library that could have potentially exposed users to risk.

"Processing an emoji under certain configurations may lead to a denial of service," Apple warned.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.