About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
This document describes the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra.
About Apple security updates
For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
afpserver
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A remote attacker may be able to attack AFP servers through HTTP clients
Description: An input validation issue was addressed with improved input validation.
CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley
AppleGraphicsControl
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4410: an anonymous researcher working with Trend Micro's Zero Day Initiative
AppleGraphicsControl
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitisation.
CVE-2018-4417: Lee of the Information Security Lab Yonsei University working with Trend Micro's Zero Day Initiative
APR
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Multiple buffer overflow issues existed in Perl
Description: Multiple issues in Perl were addressed with improved memory handling.
CVE-2017-12613: Craig Young of Tripwire VERT
CVE-2017-12618: Craig Young of Tripwire VERT
ATS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend Micro's Zero Day Initiative
ATS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2018-4308: Mohamed Ghannam (@_simo36)
Automator
Available for: macOS Mojave 10.14
Impact: A malicious application may be able to access restricted files
Description: This issue was addressed by removing additional entitlements.
CVE-2018-4468: Jeff Johnson of underpassapp.com
CFNetwork
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative
CoreAnimation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4415: Liang Zhuo working with Beyond Security’s SecuriTeam Secure Disclosure
CoreCrypto
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers
Description: An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes.
CVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of Royal Holloway, University of London, and Juraj Somorovsky of Ruhr University, Bochum
CoreFoundation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4412: The UK's National Cyber Security Centre (NCSC)
CUPS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content
Description: An injection issue was addressed with improved validation.
CVE-2018-4153: Michael Hanselmann of hansmi.ch
CUPS
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An attacker in a privileged position may be able to perform a denial-of-service attack
Description: A denial-of-service issue was addressed with improved validation.
CVE-2018-4406: Michael Hanselmann of hansmi.ch
Dictionary
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Parsing a maliciously crafted dictionary file may lead to disclosure of user information
Description: A validation issue existed which allowed local file access. This was addressed with input sanitisation.
CVE-2018-4346: Wojciech Reguła (@_r3ggi) of SecuRing
Dock
Available for: macOS Mojave 10.14
Impact: A malicious application may be able to access restricted files
Description: This issue was addressed by removing additional entitlements.
CVE-2018-4403: Patrick Wardle of Digita Security
dyld
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14, macOS Sierra 10.12.6
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved validation.
CVE-2018-4423: Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech)
EFI
Available for: macOS High Sierra 10.13.6
Impact: Systems with microprocessors utilising speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorised disclosure of information to an attacker with local user access via a side-channel analysis
Description: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel.
CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken Johnson of the Microsoft Security Response Center (MSRC)
EFI
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: A local user may be able to modify protected parts of the file system
Description: A configuration issue was addressed with additional restrictions.
CVE-2018-4342: Timothy Perfitt of Twocanoes Software
Foundation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Processing a maliciously crafted text file may lead to a denial of service
Description: A denial-of-service issue was addressed with improved validation.
CVE-2018-4304: jianan.huang (@Sevck)
Grand Central Dispatch
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4426: Brandon Azad
Heimdal
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4331: Brandon Azad
Hypervisor
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: Systems with microprocessors utilising speculative execution and address translations may allow unauthorised disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis
Description: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry.
CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas F. Wenisch of University of Michigan, Mark Silberstein and Marina Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu of Intel Corporation, Yuval Yarom of The University of Adelaide
Hypervisor
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team
ICU
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14, macOS Sierra 10.12.6
Impact: Processing a maliciously crafted string may lead to heap corruption
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4394: Erik Verbruggen of The Qt Company
Intel Graphics Driver
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4334: Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitisation.
CVE-2018-4396: Yu Wang of Didi Research America
CVE-2018-4418: Yu Wang of Didi Research America
Intel Graphics Driver
Available for: macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4350: Yu Wang of Didi Research America
Intel Graphics Driver
Available for: macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2018-4421: Tyler Bohan of Cisco Talos
IOGraphics
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4422: an anonymous researcher working with Trend Micro's Zero Day Initiative
IOHIDFamily
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4408: Ian Beer of Google Project Zero
IOKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4402: Proteas of Qihoo 360 Nirvan Team
IOKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A malicious application may be able to break out of its sandbox
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4341: Ian Beer of Google Project Zero
CVE-2018-4354: Ian Beer of Google Project Zero
IOUserEthernet
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4401: Apple
IPSec
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group
Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed by removing the vulnerable code.
CVE-2018-4420: Mohamed Ghannam (@_simo36)
Kernel
Available for: macOS High Sierra 10.13.6
Impact: A malicious application may be able to leak sensitive user information
Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.
CVE-2018-4399: Fabiano Anemone (@anoane)
Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4340: Mohamed Ghannam (@_simo36)
CVE-2018-4419: Mohamed Ghannam (@_simo36)
CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative
Kernel
Available for: macOS Sierra 10.12.6
Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com
CVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com
Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An application may be able to read restricted memory
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security Team
Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
CVE-2018-4407: Kevin Backhouse of Semmle Ltd.
Kernel
Available for: macOS Mojave 10.14
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved size validation.
CVE-2018-4424: Dr. Silvio Cesare of InfoSect
LinkPresentation
Available for: macOS Sierra 10.12.6
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
CVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department
Login Window
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A local user may be able to cause a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of MWR InfoSecurity
Available for: macOS Mojave 10.14
Impact: Processing a maliciously crafted mail message may lead to UI spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2018-4389: Dropbox Offensive Security Team, Theodor Ragnar Gislason of Syndis
mDNSOffloadUserClient
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team
MediaRemote
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs
Microcode
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: Systems with microprocessors utilising speculative execution and that perform speculative reads of system registers may allow unauthorised disclosure of system parameters to an attacker with local user access via a side-channel analysis
Description: An information disclosure issue was addressed with a microcode update. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel.
CVE-2018-3640: Innokentiy Sennovskiy from BiZone LLC (bi.zone), Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (sysgo.com)
NetworkExtension
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: Connecting to a VPN server may leak DNS queries to a DNS proxy
Description: A logic issue was addressed with improved state management.
CVE-2018-4369: an anonymous researcher
Perl
Available for: macOS Sierra 10.12.6
Impact: Multiple buffer overflow issues existed in Perl
Description: Multiple issues in Perl were addressed with improved memory handling.
CVE-2018-6797: Brian Carpenter
Ruby
Available for: macOS Sierra 10.12.6
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: Multiple issues in Ruby were addressed in this update.
CVE-2017-0898
CVE-2017-10784
CVE-2017-14033
CVE-2017-14064
CVE-2017-17405
CVE-2017-17742
CVE-2018-6914
CVE-2018-8777
CVE-2018-8778
CVE-2018-8779
CVE-2018-8780
Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: Processing a maliciously crafted S/MIME signed message may lead to a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd.
Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: A local user may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2018-4395: Patrick Wardle of Digita Security
Spotlight
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4393: Lufeng Li
Symptom Framework
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative
Wi-Fi
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14
Impact: An attacker in a privileged position may be able to perform a denial-of-service attack
Description: A denial-of-service issue was addressed with improved validation.
CVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile Networking Lab at Technische Universität Darmstadt
Additional recognition
Calendar
We would like to acknowledge Matthew Thomas of Verisign for their assistance.
coreTLS
We would like to acknowledge Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group) and Yuval Yarom (University of Adelaide and Data61) for their assistance.
iBooks
We would like to acknowledge Sem Voigtländer of Fontys Hogeschool ICT for their assistance.
Kernel
We would like to acknowledge Brandon Azad for their assistance.
LaunchServices
We would like to acknowledge Alok Menghrajani of Square for their assistance.
Quick Look
We would like to acknowledge lokihardt of Google Project Zero for their assistance.
Security
We would like to acknowledge Marinos Bernitsas of Parachute for their assistance.
Terminal
We would like to acknowledge Federico Bento for their assistance.
Time Machine
We would like to acknowledge Matthew Thomas of Verisign for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.