It's 2018 and your Macs, iPhones can be pwned by playing evil music
Meanwhile, HomePod inches closer to actually shipping, allegedly
Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible.
On macOS, the update will be delivered as High Sierra 10.13.3 or Security Update 2018-001 for Sierra and El Capitan machines.
Headlining the security update is a patch for CVE-2017-5754, better known as Meltdown. The Intel processor bug allows malicious code to potentially read sensitive data and personal information, such as passwords, from kernel memory.
Apple quietly patched macOS 10.13 in December against Meltdown, and now this fix is available for previous flavors of the operating system via this update. The Cupertino giant earlier issued mitigations for the related Spectre CPU flaws.
Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) that could also allow restricted memory to be read. The last two were reported by Jann Horn of Google Project Zero, who also stumbled upon the Meltdown and Spectre CPU design flaws.
Two other kernel flaws, CVE-2018-4097 and CVE-2018-4082, allow an app to run code as the kernel, thus hijacking the whole machine. The first is "a logic issue [..] addressed with improved validation," discovered by Resecurity Inc, and the second "a memory corruption issue [...] addressed through improved input validation" found and reported by Russ Cox of Google.
Other noteworthy bugs include CVE-2018-4094, a bug in both Sierra and High Sierra discovered by five researchers at Yonsei University in Seoul, South Korea. The memory corruption bug allows remote code execution attacks simply by processing a maliciously crafted audio file.
The WebKit browser engine received three fixes for remote code execution flaws (CVE-2018-4088, CVE-2018-4089,CVE-2018-4096) that are also patched in Safari with version 11.0.3.
The QuartzCore component contained a remote code execution flaw (CVE-2018-4085) that can be exploited via web content, while Wi-Fi had a restricted memory access flaw (CVE-2018-4084), and a bug in the operating system's process sandbox (CVE-2018-4091) could allow programs to get around access restrictions.
Meanwhile, on mobile...
For iOS devices, Apple has served up the 11.2.5 update. It includes a fix for the CVE-2018-4094 audio-file remote-code execution flaw as well as the three kernel memory leak bugs (CVE-2018-4090, CVE-2018-4092, CVE-2018-4093), and the QuartzCore, and WebKit flaws included in the macOS update.
Researcher Abraham "cheesecakeufo" Masri gets credit for CVE-2018-4100, a patched flaw in iOS that allows text messages to crash the iPhone, while Zimperium zLabs' Rani Idan was credited for CVE-2018-4095 and CVE-2018-4087, a pair of arbitrary code execution flaws in Core Bluetooth.
Masri's text-message bug, CVE-2018-4100, is also fixed in macOS's LinkPresentation code to prevent weird text in webpages and messages from stalling desktop apps.
In other Apple news
Cook and Co. revealed Tuesday that the HomePod, a $349 smart speaker first revealed last June, will be making its eagerly awaited debut… in another couple of weeks. Starting Friday, punters can pre-order a HomePod, or just wait until February 9 when the hardware is slated to hit the shelves. ®