It’s time to update your Apple devices and software again: the company has pushed out security updates for macOS, iOS, watchOS, tvOS, Safari, and iCloud and iTunes for Windows.
The iCloud and iTunes updates include an almost identical list of plugged flaws: a bucketful of vulnerabilities in the WebKit browser engine, the majority of which can lead to arbitrary code execution, and three authorization issues discovered by software developer and researcher Abraham Masri, which could be exploited by a local attacker to modify the state of the Keychain, view sensitive user information, and read a persistent device identifier.
The Safari update contains fixes for the aforementioned WebKit flaws, and two vulnerabilities that can trigger address bar spoofing or cause a denial of service if the user lands on a specially crafted malicious website.
The Crash Reporter bug (CVE-2018-4206) fixed in iOS in April has now been fixed in watchOS and tvOS. The bug affects the app that sends Unix crash logs to Apple for engineers to review and shows crash alerts to users. Its buggy error handling could allow an application to trigger a memory corruption that could allow the app to gain elevated privileges.
Other fixed vulnerabilities of note in those two updates are the authorization issues flagged by Masri, two vulnerabilities in Messages (one of which could allow a local user to conduct impersonation attacks), and a validation issue in UIKit, which could lead to denial of service if a maliciously crafted text file is processed.
iOS and macOS security and functional updates
The Messages issues have been also fixed in iOS and macOS (High Sierra).
The Sierra and El Capitan updates contain fixes for five vulnerabilities, but High Sierra users get much more than that, including a solution for an out-of-bounds read issue affecting graphics drivers for Intel and AMD chips, a flaw that could allow a malicious application with root privileges to modify the EFI flash memory region, and the infamous Efail bug.
The Efail bug was also addressed in the iOS update, along with vulnerabilities affecting Siri, which could allow a person with physical access to an iOS device to enable Siri from the lock screen, to use it to read notifications of content that is set not to be displayed at the lock screen, or to view private contact information.
High Sierra 10.13.5 and iOS 11.4 also come with support for Messages in iCloud, a feature that Apple has been working on for a while now. It allows users to store messages they sent or received via the Messages app (+ attachments) in the iCloud, and for the messages to be synchronised across all Apple devices a user possesses.
While it is a helpful feature, users should be aware that, while these messages are end-to-end encrypted, if they have iCloud Backup turned on, a copy of the key protecting their Messages is included in their backup.
“This ensures you can recover your Messages if you’ve lost access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and it is not stored by Apple,” the company explained in the most recent update of the iCloud security overview document.