This article is more than 1 year old
Apple debugs debugger, nukes pesky vulns in iOS, WebKit, macOS
Cook's Cupertino crew corrects coding cockups
Apple has issued a trio of updates to patch security vulnerabilities in Safari, macOS, and iOS.
For iOS, the update to 11.3.1 addresses a total of four CVE-listed vulnerabilities, including one that is present in the debugging tool used across both iOS and the macOS.
That vulnerability, CVE-2018-4206, was spotted in Crash Reporter by researcher Ian Beer of Google's Project Zero. According to Apple, a vulnerability in Crash Reporter's error handling would have allowed an application to trigger a memory corruption error that would have enabled elevation of privilege.
In summary; the debugger had a bug, and a buggy app could have triggered the debugger bug to bugger up everything. To get the patch you'll want to install iOS 11.3.1 or Security Update 2018-001.
Also patched in iOS was CVE-2018-4187, a UI spoofing vulnerability discovered by Tencent researcher Zhiyang Zeng and Roman Mueller. As explained by Mueller, the vulnerability actually lies in a recently-introduced QR-reading feature Apple added to iOS. Because the camera fails to properly scan and redirect URLs from QR codes, users could be sent to spoof or phishing sites.
Finally, the iOS update addresses two memory corruption flaws in WebKit-; CVE-2018-4200, reported by Ivan Frantic by Project Zero, and CVE-2018-4200, found by Richard Zhu of Trend Micro's Zero Day Initiative. Both would allow a specially-crafted webpage to achieve remote code execution.
Those two WebKit bugs will also be addressed in Safari 11.1, as the Apple web browser shares its engine- and many of the resulting vulnerabilities- with iOS. Users running El Capitan, Sierra, and High Sierra will be getting the Safari update.
Finally, Mac users running High Sierra (macOS 10.13.4) will want to install Security Update 2018-001. That update addresses the macOS occurrences of both CVE-2018-4187 (the QR reader bug), and CVE-2018-4206 (the Crash Reporter vulnerability).
No other security updates were released by Apple, so those running an Apple Watch or AppleTV won't have to look for patches right now. ®