Apple released its second set of security updates so far in 2018 on Jan. 23, bringing the Meltdown and Spectre patches to its’ older operating systems.
Apple is also providing new security updates in the macOS High Sierra 10.13.3 desktop operating system and the iOS 11.2.5 mobile operating system that patch multiple critical flaws. Apple released the previous set of updates on Jan. 8 and provided an initial set of patches for Meltdown and Spectre.
“Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache,” Apple warned in its macOS security advisory.
The Meltdown Intel CPU vulnerability was initially only patched by Apple on its macOS 10.3 High Sierra operating system and is now being backported to the 10.12 Sierra and 10.11 El Capitan macOS releases. Apple had previously addressed the related Spectre vulnerabilities for the Sierra and El Capitan operating systems in a Safari web browser update released Jan. 8. The Meltdown and Spectre vulnerabilities were first publicly disclosed on Jan. 4 and have led to multiple performance and stability issues, though Apple has not reported any stability issues with its patches.
The Meltdown and Spectre vulnerabilities were reported by a group of security researchers, including Google Project Zero security researcher Jann Horn. Horn is now credited by Apple for reporting a pair of new operating system kernel vulnerabilities that are being patched in the macOS High Sierra 10.13.3 and iOS 11.2.5 updates as well. Both of the issues (CVE-2018-4090, CVE-2018-4093) could have potentially enabled an application to read restricted memory without authorization. The ability to read restricted memory is also coincidentally at the core of the Meltdown and Spectre issues.
Also of note in the new Apple update is the CVE-2018-4100 vulnerability in the LinkPresentation function that has been dubbed as the “ChaiOS” flaw, which could trigger a device crash. ChaiOS was publicly reported by security researchers Abraham Masri on Jan. 15.
“Processing a maliciously crafted text message may lead to application denial of service,” Apple warned in its advisory.
In addition to the patch to protect against malicious text files, Apple is also patching for a flaw that could have enabled attacks via a malicious audio file. The CVE-2018-4094 vulnerability in Apple’s audio library was discovered by a team of researchers from the Information Security Lab at Yonsei University in South Korea.
“Processing a maliciously crafted audio file may lead to arbitrary code execution,” Apple warned. “A memory corruption issue was addressed through improved input validation.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.