While much of the focus on Oct. 30 for Apple was on the company’s refreshed product launches for MacBook Air, Mini and iPad, Apple also released a series of critical security updates.
Among the updated releases are macOS Mojave 10.14.1, iOS 12.1 and watchOS 5.1, fixing high-impact flaws that include remote code execution issues that could potentially enable attackers to take over unpatched devices. Code security vendor Semmle reported six of the remote code execution issues that were found in the XNU operating system kernel that is at core of Apple’s devices.
“The vulnerabilities are in XNU’s networking code and its client-side NFS implementation,” Semmle wrote in an advisory. “The vulnerabilities may allow malicious attackers on the same network to take control of any vulnerable Apple device. A remote attacker could run arbitrary code, extract data, crash the devices, or reset them to factory settings.”
Among the six issues discovered by Semmle and now patched across Apple’s operating systems is CVE-2018-4407, which is a heap buffer-overflow vulnerability in the ICMP packet-handling module of the XNU kernel’s networking code. The other five issues discovered by Semmle are NFS (Network File System) issues CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288 and CVE-2018-4291.
“The vulnerabilities allow an attacker to mount a maliciously-crafted NFS volume to gain kernel-level privileges,” Semmle warned.
One of the more interesting sets of flaws patched in iOS 12.1 includes three vulnerabilities (CVE-2018-4384, CVE-2018-4366 and CVE-2018-4367) that impact Apple’s FaceTime messaging application. All three flaws were reported by Google Project Zero security researcher Natalie Silvanovich. The FaceTime flaws could have potentially enabled a remote attacker to execute arbitrary code, or even start an unintended call.
“A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution,” Apple warned in its iOS advisory.
FaceTime isn’t the only Apple service that a remote attacker could have compromised to perform unintended actions. The CVE-2018-4153 flaw in the open-source CUPS printing system used by macOS could have enabled a remote attacker to replace the message content from the print server with arbitrary content.
A dictionary attack is a common attack technique where an attacker pulls words from a dictionary and uses them in a brute force attack in an attempt to discover user passwords. The CVE-2018-4346 issue that has now been fixed in macOS however deals with a different type of dictionary flaw.
“Parsing a maliciously crafted dictionary file may lead to disclosure of user information,” Apple warned.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.