About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan

This document describes the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.

Apple security documents reference vulnerabilities by CVE-ID when possible.

macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan

Released March 29, 2018

Admin Framework

Available for: macOS High Sierra 10.13.3

Impact: Passwords supplied to sysadminctl may be exposed to other local users

Description: The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional, and sysadminctl will prompt for the password if needed.

CVE-2018-4170: an anonymous researcher

APFS

Available for: macOS High Sierra 10.13.3

Impact: An APFS volume password may be unexpectedly truncated

Description: An injection issue was addressed through improved input validation.

CVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot

ATS

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: Processing a maliciously crafted file might disclose user information

Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.

CVE-2018-4112: Haik Aftandilian of Mozilla

CFNetwork Session

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4166: Samuel Groß (@5aelo)

CoreFoundation

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4155: Samuel Groß (@5aelo)

CVE-2018-4158: Samuel Groß (@5aelo)

CoreText

Available for: macOS High Sierra 10.13.3

Impact: Processing a maliciously crafted string may lead to a denial of service

Description: A denial of service issue was addressed through improved memory handling.

CVE-2018-4142: Robin Leroy of Google Switzerland GmbH

CoreTypes

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Processing a maliciously crafted webpage may result in the mounting of a disk image

Description: A logic issue was addressed with improved restrictions.

CVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis

curl

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Multiple issues in curl

Description: An integer overflow existed in curl. This issue was addressed through improved bounds checking.

CVE-2017-8816: Alex Nichols

Entry updated March 30, 2018

Disk Images

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: Mounting a malicious disk image may result in the launching of an application

Description: A logic issue was addressed with improved validation.

CVE-2018-4176: Theodor Ragnar Gislason of Syndis

Disk Management

Available for: macOS High Sierra 10.13.3

Impact: An APFS volume password may be unexpectedly truncated

Description: An injection issue was addressed through improved input validation.

CVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous researcher

File System Events

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4167: Samuel Groß (@5aelo)

iCloud Drive

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4151: Samuel Groß (@5aelo)

Intel Graphics Driver

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360

IOFireWireFamily

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.

Kernel

Available for: macOS High Sierra 10.13.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4150: an anonymous researcher

Kernel

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4104: The UK's National Cyber Security Centre (NCSC)

Kernel

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4143: derrek (@derrekr6)

Kernel

Available for:  OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2018-4136: Jonas Jensen of lgtm.com and Semmle

Kernel

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2018-4160: Jonas Jensen of lgtm.com and Semmle

kext tools

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2018-4139: Ian Beer of Google Project Zero

LaunchServices

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: A maliciously crafted application may be able to bypass code signing enforcement

Description: A logic issue was addressed with improved validation.

CVE-2018-4175: Theodor Ragnar Gislason of Syndis

Local Authentication

Available for: macOS High Sierra 10.13.3

Impact: A local user may be able to view senstive user information

Description: There was an issue with the handling of smartcard PINs. This issue was addressed with additional logic.

CVE-2018-4179: David Fuhrmann

Entry added April 13, 2018

Mail

Available for: macOS High Sierra 10.13.3

Impact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mail

Description: An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature.

CVE-2018-4111: Damian Poddebniak of Münster University of Applied Sciences, Christian Dresen of Münster University of Applied Sciences, Jens Müller of Ruhr University Bochum, Fabian Ising of Münster University of Applied Sciences, Sebastian Schinzel of Münster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, Jörg Schwenk of Ruhr University Bochum

Entry updated April 13, 2018

Mail

Available for: macOS High Sierra 10.13.3

Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc.

Entry updated April 13, 2018

Notes

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4152: Samuel Groß (@5aelo)

NSURLSession

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4166: Samuel Groß (@5aelo)

NVIDIA Graphics Drivers

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360

PDFKit

Available for: macOS High Sierra 10.13.3

Impact: Clicking a URL in a PDF may visit a malicious website

Description: An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation.

CVE-2018-4107: Nick Safford of Innovia Technology

Entry updated April 9, 2018

PluginKit

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4156: Samuel Groß (@5aelo)

Quick Look

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4157: Samuel Groß (@5aelo)

Security

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved size validation.

CVE-2018-4144: Abraham Masri (@cheesecakeufo)

Status Bar

Available for: macOS High Sierra 10.13.3

Impact: A malicious application may be able to access the microphone without indication to the user

Description: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation.

CVE-2018-4173: Joshua Pokotilow of pingmd

Entry added April 9, 2018

Storage

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4154: Samuel Groß (@5aelo)

System Preferences

Available for: macOS High Sierra 10.13.3

Impact: A configuration profile may incorrectly remain in effect after removal

Description: An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup.

CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera

Terminal

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: Pasting malicious content may lead to arbitrary command execution spoofing

Description: A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters.

CVE-2018-4106: Simon Hosie

WindowServer

Available for: macOS High Sierra 10.13.3

Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled

Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.

CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH

Additional recognition

Mail

We would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.

Entry added June 21, 2018

Security

We would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.

Entry added April 13, 2018

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date:Fri Jun 22 02:04:50 GMT 2018