Apple released a set of security and features updates for its mobile iOS and desktop macOS operating systems on March 29, as well as introduced a new privacy notification icon.
iOS 11.3 and macOS 10.13.4 follow Apple’s iOS 11.2.6 and macOS High Sierra 10.13.3 supplemental updates that were released on Feb. 20 primarily to deal with a bug that was triggering Apple devices to crash when certain Indian language characters were received in a message.
In the most recent iOS update, Apple patched a new bug, identified as CVE-2018-4140, which similarly could have triggered iOS devices to restart after receiving a malicious SMS text message.
“A remote attacker can cause a device to unexpectedly restart,” Apple warned in its advisory. “A null pointer dereference issue existed when handling Class 0 SMS messages. This issue was addressed through improved message validation.”
iOS 11.3 includes a patch for a flaw in the “Find My iPhone” capability that allows users to track and locate misplaced devices. According to Apple’s CVE-2018-4172 security advisory, a person with physical access to an iOS device may be able to disable Find My iPhone without entering an iCloud password.
“A state management issue existed when restoring from a backup,” Apple stated. “This issue was addressed through improved state checking during restore.”
The new security updates address a number of issues that impact both iOS and macOS, including a vulnerability in the shared Apple WindowServer component that could have logged user keystrokes.
“An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled,” Apple’s CVE-2018-4131 advisory states. “This issue was addressed by improved state management.”
The macOS High Sierra 10.13.4 update also provides a patch for yet another password security-related issue in Apple’s desktop operating system. “The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users,” Apple’s CVE-2018-4170 advisory warns. “This update makes the password parameter optional, and sysadminctl will prompt for the password if needed.”
Apple has been busy since the initial release of macOS High Sierra 10.13 in September 2017, patching multiple password security flaws. Password-related flaws in macOS were patched in October and November 2017, as well in January 2018.
Across Apple’s operating systems, the single largest source of vulnerability fixes in the new updates are in the WebKit web rendering engine, which has been patched for at least 19 different issues. Sixteen of the WebKit issues are identified as memory corruption issues that could lead to arbitrary code execution.
Beyond patches for security vulnerabilities, Apple has made multiple enhancements to improve both security and privacy in iOS and macOS.
When Apple features ask to use personal information, a new privacy icon will be displayed providing links to information explaining how data will be used and protected. In addition, the Safari web browser smart search field will display warnings when users attempt to interact with password or credit card forms on unencrypted webpages.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.