Apple unveiled new Macs and iPads on Tuesday and has pushed out security updates for macOS (Mojave, High Sierra, Sierra), iOS, watchOS, tvOS, Safari, iTunes, and iCloud for Windows.
Among the various vulnerabilities fixed is an ICMP packet-handling vulnerability in the XNU kernel that could be exploited remotely to achieve code execution on, extract data from, or crash macOS powered devices (as demonstrated in the following video):
Closed MacBooks disable microphone
During the Apple event that presented the new devices to the world, Apple has also revealed that all new Mac portables (MacBooks) that have the T2 security chip built in automatically disable the microphone when the lid of the device is closed.
“This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed,” Apple explained.
“The camera is not disconnected in hardware because its field of view is completely obstructed with the lid closed.”
The security updates for the various supported macOS versions fix a bucketload of vulnerabilities.
Among these is CVE-2018-4407, a vulnerability in Apple’s XNU operating system kernel that was discovered and reported by Semmle security researcher Kevin Backhouse.
It is a heap buffer-overflow vulnerability in the ICMP packet-handling module of the kernel’s networking code and may allow an attacker to execute arbitrary code or extract data from a target device by sending a malicious IP packet across the network, as well as to crash the device and force a reboot.
“Because the vulnerability can be easily exploited, and is remotely triggerable without any user interaction, the vulnerability could be automated as a denial-of-service attack, continually crashing all vulnerable devices on a network, which could effectively shut down an organization,” the company explained.
The vulnerability affects iMacs and MacBooks, iPhones and iPads, iWatches and Apple TVs. Apple has already patched it in iOS, watchOS, tvOS and macOS Mojave in September, and has now finally plugged the hole in macOS Sierra and High Sierra.
Backhouse noted that the vulnerability can be exploited without special permissions or specialist hardware and that, apart from upgrading, there’s very little users can do to protect themselves, so he advised users of all affected devices to hop to it.
The iOS security update (iOS 12.1) is also chock-full of fixes, including those for:
- A vulnerability in the Graphics Driver that could allow a remote attacker to initiate a FaceTime call causing arbitrary code execution (CVE-2018-4384)
- Many kernel and WebKit vulnerabilities
- Two vulnerabilities (CVE-2018-4387, CVE-2018-4388) that may allow a physically present attacker to bypass the device’s lock screen. The flaws were flagged by researcher Jose Rodriguez, who recently demonstrated similar passcode bypass vulnerabilities.