Ministero dello Sviluppo Economico

CERT Nazionale Italia - Computer Emergency Response Team

Vulnerabilità

Aggiornamenti di sicurezza per prodotti Apple (30 ottobre 2018)

apple  iCloud  iTunes  Safari   mercoledì, 31 ottobre 2018

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in macOS, iOS, watchOS, tvOS, Safari, iTunes per Windows e iCloud per Windows.

Apple macOS è un sistema operativo per i computer Mac. Apple iOS è un sistema operativo per iPhone, iPod touch e iPad. Apple watchOS è il sistema operativo per Apple Watch. Apple tvOS è il sistema operativo per Apple TV. Apple Safari è un browser Web disponibile per macOS e Microsoft Windows. iTunes è un’applicazione per la gestione di file multimediali. iCloud è il sistema SaaS di Apple basato sul cloud computing.

L’aggiornamento per macOS contiene diversi fix di sicurezza che risolvono numerose vulnerabilità, di cui alcune di gravità elevata, in macOS Sierra 10.12.6, macOS High Sierra 10.13.6 e macOS Mojave 10.14. Lo sfruttamento delle più gravi tra queste vulnerabilità potrebbe consentire ad un attaccante di accedere ad aree di memoria protette, ottenere privilegi elevati, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

L’aggiornamento per macOS include altresì miglioramenti di sicurezza che mitigano gli effetti degli attacchi di tipo side-channel alle CPU noti come Speculative Store Bypass (SSB) (CVE-2018-3639), Rogue System Register Read (RSRE) (CVE-2018-3640) e Foreshadow/L1 Terminal Fault (L1TF) (CVE-2018-3646).

Dettagli delle vulnerabilità risolte in macOS (in Inglese):

  • afpserver: an input validation issue may allow a remote attacker to attack AFP servers through HTTP clients (CVE-2018-4295).
  • AppleGraphicsControl: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4410).
  • AppleGraphicsControl: a validation issue may allow an application to read restricted memory (CVE-2018-4417).
  • APR: multiple buffer overflow issues in Perl (CVE-2017-12613, CVE-2017-12618).
  • ATS: a memory corruption issue may allow an application to elevate privileges (CVE-2018-4411).
  • ATS: an out-of-bounds read may allow an application to read restricted memory (CVE-2018-4308).
  • CFNetwork: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4126).
  • CoreAnimation: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4415).
  • CoreCrypto: an attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers (CVE-2018-4398).
  • CoreFoundation: a memory corruption issue may allow a malicious application to elevate privileges (CVE-2018-4412).
  • CUPS: an injection issue in certain configurations may allow a remote attacker to replace the message content from the print server with arbitrary content (CVE-2018-4153).
  • CUPS: an attacker in a privileged position may be able to perform a denial of service attack (CVE-2018-4406).
  • Dictionary: parsing a maliciously crafted dictionary file may allow local file access, leading to disclosure of user information (CVE-2018-4346).
  • Dock: a malicious application may be able to access restricted files (CVE-2018-4403).
  • dyld: a logic issue may allow a malicious application to elevate privileges (CVE-2018-4423).
  • EFI: systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (CVE-2018-3639).
  • EFI: a configuration issue may allow a local user to modify protected parts of the file system (CVE-2018-4342).
  • Foundation: processing a maliciously crafted text file may lead to a denial of service (CVE-2018-4304).
  • Grand Central Dispatch: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4426).
  • Heimdal: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4331).
  • Hypervisor: systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (CVE-2018-3646).
  • Hypervisor: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4242).
  • ICU: a memory corruption issue may lead to heap corruption processing a maliciously crafted string (CVE-2018-4394).
  • Intel Graphics Driver: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4334).
  • Intel Graphics Driver: a validation issue may allow an application to read restricted memory (CVE-2018-4396, CVE-2018-4418).
  • Intel Graphics Driver: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4350).
  • IOGraphics: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4422).
  • IOHIDFamily: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4408).
  • IOKit: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4402).
  • IOKit: a memory corruption issue may allow a malicious application may to break out of its sandbox (CVE-2018-4341, CVE-2018-4354).
  • IOUserEthernet: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4401).
  • IPSec: an out-of-bounds read may allow an application to gain elevated privileges (CVE-2018-4371).
  • Kernel: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4420).
  • Kernel: an access issue with privileged API calls may allow a malicious application to leak sensitive user information (CVE-2018-4399).
  • Kernel: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4340, CVE-2018-4419, CVE-2018-4425).
  • Kernel: multiple memory corruption issues may lead to arbitrary code execution with system privileges mounting a maliciously crafted NFS network share (CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, CVE-2018-4291).
  • Kernel: a memory initialization issue may allow an application to read restricted memory (CVE-2018-4413).
  • Kernel: a memory corruption issue may allow an attacker in a privileged network position to execute arbitrary code (CVE-2018-4407).
  • Kernel: a buffer overflow may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4424).
  • Login Window: a validation issue may allow a local user to cause a denial of service (CVE-2018-4348).
  • Mail: an inconsistent user interface issue may lead to UI spoofing processing a maliciously crafted mail message (CVE-2018-4389).
  • mDNSOffloadUserClient: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4326).
  • MediaRemote: an access issue may allow a sandboxed process to circumvent sandbox restrictions (CVE-2018-4310).
  • Microcode: systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis (CVE-2018-3640).
  • NetworkExtension: connecting to a VPN server may leak DNS queries to a DNS proxy (CVE-2018-4369).
  • Perl: multiple buffer overflow issues in Perl (CVE-2018-6797).
  • Ruby: multiple issues in Ruby may allow a remote attacker to cause unexpected application termination or arbitrary code execution (CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064, CVE-2017-17405, CVE-2017-17742, CVE-2018-6914, CVE-2018-8777, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780).
  • Security: a validation issue may lead to a denial of service processing a maliciously crafted S/MIME signed message (CVE-2018-4400).
  • Security: a local user may be able to cause a denial of service (CVE-2018-4395).
  • Spotlight: a memory corruption issue may allow an application to execute arbitrary code with system privileges (CVE-2018-4393).
  • Symptom Framework: an out-of-bounds read may allow an application to read restricted memory (CVE-2018-4203).
  • Wi-Fi: an attacker in a privileged position may be able to perform a denial of service attack (CVE-2018-4368).

L’aggiornamento per iOS contiene diversi fix di sicurezza che risolvono diverse gravi vulnerabilità che potrebbero consentire ad un attaccante di accedere ad aree di memoria protette, eseguire codice arbitrario sul sistema o provocare condizioni di denial of service.

Dettagli delle vulnerabilità risolte in iOS (in Inglese):

  • AppleAVD: a memory corruption issue may lead to arbitrary code execution processing malicious video via FaceTime (CVE-2018-4384).
  • Contacts: an out-of-bounds read may lead to a denial of service processing a maliciously crafted vcf file (CVE-2018-4365).
  • CoreCrypto: an attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers (CVE-2018-4398).
  • FaceTime: a memory corruption issue may allow a remote attacker to leak memory (CVE-2018-4366).
  • FaceTime: a memory corruption issue may allow a remote attacker to initiate a FaceTime call causing arbitrary code execution (CVE-2018-4367).
  • Graphics Driver: a memory corruption issue may allow a remote attacker to initiate a FaceTime call causing arbitrary code execution (CVE-2018-4384).
  • ICU: a memory corruption issue may lead to heap corruption processing a maliciously crafted string (CVE-2018-4394).
  • IOHIDFamily: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4427).
  • IPSec: an out-of-bounds read may allow an application to gain elevated privileges (CVE-2018-4371).
  • Kernel: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4420).
  • Kernel: a memory initialization issue may allow an application to read restricted memory (CVE-2018-4413).
  • Kernel: a memory corruption issue may allow an application to execute arbitrary code with kernel privileges (CVE-2018-4419).
  • Messages: an inconsistent user interface issue may lead to UI spoofing processing a maliciously crafted text message (CVE-2018-4390, CVE-2018-4391).
  • NetworkExtension: connecting to a VPN server may leak DNS queries to a DNS proxy (CVE-2018-4369).
  • Notes: a local attacker may be able to share items from the lock screen (CVE-2018-4388).
  • Safari Reader: enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting (CVE-2018-4374).
  • Safari Reader: enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting (CVE-2018-4377).
  • Security: a validation issue may lead to a denial of service processing a maliciously crafted S/MIME signed message (CVE-2018-4400).
  • VoiceOver: a local attacker may be able to view photos from the lock screen (CVE-2018-4387).
  • WebKit: visiting a malicious website may lead to address bar spoofing (CVE-2018-4385).
  • WebKit: multiple memory corruption issues may lead to arbitrary code execution processing maliciously crafted web content (CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416).
  • WebKit: a resource exhaustion issue may allow a malicious website to cause a denial of service (CVE-2018-4409).
  • WebKit: a memory corruption issue may lead to code execution processing maliciously crafted web content (CVE-2018-4378).
  • Wi-Fi: an attacker in a privileged position may be able to perform a denial of service attack (CVE-2018-4368).

Si raccomanda di scaricare ed applicare gli aggiornamenti di sicurezza messi a disposizione da Apple il più presto possibile.

Per maggiori informazioni sui prodotti vulnerabili e sugli aggiornamenti disponibili è possibile consultare i seguenti bollettini di sicurezza di Apple (in Inglese):

Stando a quanto riportato da fonti di stampa specializzata, Apple avrebbe al momento sospeso l’aggiornamento del sistema watchOS 5.1 dopo che alcuni utenti hanno riferito che l’aggiornamento aveva di fatto bloccato i loro Apple Watch Series 4, causando un ciclo infinito di riavvi.

Notizie correlate

Aggiornamento di sicurezza per Apple iOS 12

9 ottobre 2018

Apple ha rilasciato un aggiornamento di sicurezza per iOS che risolve due vulnerabilità che potrebbero consentire ad un attaccante locale di accedere ad informazioni potenzialmente sensibili.Leggi tutto

Apple risolve numerose vulnerabilità in macOS Mojave 10.14

25 settembre 2018

Apple ha rilasciato macOS Mojave 10.14. Questo aggiornamento contiene diversi fix di sicurezza che risolvono numerose vulnerabilità, di cui alcune di gravità elevata.Leggi tutto

Aggiornamenti di sicurezza per prodotti Apple (17 settembre 2018)

18 settembre 2018

Apple ha rilasciato aggiornamenti di sicurezza che risolvono diverse vulnerabilità in iOS, watchOS, tvOS, Safari e Apple Support per iOS.Leggi tutto