Apple iOS 11.3.1 Fixes QR Code Security Flaw

Apple releases its fifth security patch update so far in 2018, patching issues in iOS 11.3.1 and macOS 10.13.4.


Less than a month after its last set of security updates, Apple released a new set of security patches for both iOS and macOS on April 24.

For its iOS mobile operating system, Apple has released version 11.3.1; on the desktop, the update is identified as Security Update 2018-001 for macOS High Sierra 10.13.4. For iOS, Apple patched a total of four vulnerabilities, while patching two issues in macOS, with an additional two patches in the Safari 11.1 browser update.

Among the most impactful issues is one identified as CVE-2018-4187, which is a flaw in the LinkPresentation component in both iOS and macOS.

"Processing a maliciously crafted text message may lead to UI spoofing," Apple warns in its advisory. "A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation."

Although Apple's advisory provides few details, the actual spoofing issue was in the in QR code reader capabilities. On March 24, security researcher Roman Mueller publicly reported the flaw, which he labeled as a QR code URL parser bug. According to Mueller, both the URL parser in iOS and the one used in macOS were able to be manipulated to show a different hostname in the notification window for a QR code scan than what actually is opened in Safari.

Memory Corruption

Apple also patched multiple memory corruption issues that impact iOS and macOS. Two of the memory corruption issues were reported to Apple by security researchers from Google's Project Zero research team.

"An application may be able to gain elevated privileges," Apple warned in its advisory for CVE-2018-4206. "A memory corruption issue was addressed with improved error handling."

The other memory corruption issues—including CVE-2018-4200 and CVE-2018-4204—were all found in Apple Safari and impact both iOS and macOS. According to Apple, the issues identified in both of the WebKit related memory corruption issues are that processing maliciously crafted web content may lead to arbitrary code execution.

The new Apple releases are the fifth set of security patches to be released by Apple so far in 2018. The previous set of updates was released on March 29, with the iOS 11.3 and MacOS 10.13.4 updates that patched a critical keylogging vulnerability.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.