—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

APPLE-SA-2018-7-23-1 Additional information for APPLE-SA-2018-7-9-4
macOS High Sierra 10.13.6, Security Update 2018-004 Sierra,
Security Update 2018-004 El Capitan

macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, and
Security Update 2018-004 El Capitan address the following:

AMD
Available for: macOS High Sierra 10.13.5
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue was addressed by
removing the vulnerable code.
CVE-2018-4289: shrek_wzw of Qihoo 360 Nirvan Team

APFS
Available for: macOS High Sierra 10.13.5
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4268: Mac working with Trend Micro’s Zero Day Initiative

ATS
Available for: macOS High Sierra 10.13.5
Impact: A malicious application may be able to gain root privileges
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4285: Mohamed Ghannam (@_simo36)

Bluetooth
Available for: MacBook Pro (15-inch, 2018), and MacBook Pro
(13-inch, 2018, Four Thunderbolt 3 Ports)
Other Mac models were addressed with macOS High Sierra 10.13.5.
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2018-5383: Lior Neumann and Eli Biham
Entry added July 23, 2018

CFNetwork
Available for: macOS High Sierra 10.13.5
Impact: Cookies may unexpectedly persist in Safari
Description: A cookie management issue was addressed with improved
checks.
CVE-2018-4293: an anonymous researcher

CoreCrypto
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: A malicious application may be able to break out of its
sandbox
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2018-4269: Abraham Masri (@cheesecakeufo)

DesktopServices
Available for: macOS Sierra 10.12.6
Impact: A local user may be able to view sensitive user information
Description: A permissions issue existed in which execute permission
was incorrectly granted. This issue was addressed with improved
permission validation.
CVE-2018-4178: Arjen Hendrikse

IOGraphics
Available for: macOS High Sierra 10.13.5
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2018-4283: @panicaII working with Trend Micro’s Zero Day
Initiative

Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.5
Impact: Systems using Intel® Core-based microprocessors may
potentially allow a local process to infer data utilizing Lazy FP
state restore from another process through a speculative execution
side channel
Description: Lazy FP state restore instead of eager save and restore
of the state upon a context switch. Lazy restored states are
potentially vulnerable to exploits where one process may infer
register values of other processes through a speculative execution
side channel that infers their value.

An information disclosure issue was addressed with FP/SIMD register
state sanitization.
CVE-2018-3665: Julian Stecklina of Amazon Germany, Thomas Prescher of
Cyberus Technology GmbH (cyberus-technology.de), Zdenek Sojka of
SYSGO AG (sysgo.com), and Colin Percival

libxpc
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.5
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4280: Brandon Azad

libxpc
Available for: macOS High Sierra 10.13.5
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2018-4248: Brandon Azad

LinkPresentation
Available for: macOS High Sierra 10.13.5
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A spoofing issue existed in the handling of URLs. This
issue was addressed with improved input validation.
CVE-2018-4277: xisigr of Tencent’s Xuanwu Lab (tencent.com)

Additional recognition

Help Viewer
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing
for their assistance.

Help Viewer
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing
for their assistance.

Help Viewer
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing
for their assistance.

Help Viewer
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing
for their assistance.

Kernel
We would like to acknowledge juwei lin (@panicaII) of Trend Micro
working with Trend Micro’s Zero Day Initiative for their
assistance.

Security
We would like to acknowledge Brad Dahlsten of Iowa State University
for their assistance.

Installation note:

macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, and
Security Update 2018-004 El Capitan may be obtained from the
Mac App Store or Apple’s Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUscgACgkQ8ecVjteJ
iCYeUhAApT+4xU8iuXThUb/3bH207ZNLf8NC6eCtaPLP55Dn27hdNZYoQfGZYmY5
jKsGNXAiel02GWQLpsTeNZaWM+Tzeuus41iSFrvBFtoS4SobMYw9ymV1emxBSlY6
ZDV3L47IJOMHeF9HwE260BgIMFJDF9jMGkm22VhLE3U7uQOdIjHgOAmr/reoof4Z
84yNvBVK5/7DYlY4QxHL6bvsQG47FNs2P0WzpkrtLQwPXyz6y7I3VH4wc7G3J5dE
9YanAw/f9d31GH5lrIJLJt+pFtOsqOonHfzgf+mn7THNBIXsr7HHTiycw+6rRBlj
m9X2jL3VF25WNyU1Ir13z1Vt//Yksva8JluBFCUAMxFWi9FJhgF64Rscdmuj756u
ItMETXK15GSxc8X6Stoge3iMVfajS6nozVX99Pxf1I0XCBQNVNynQLkTL/ZzwJ7X
miBAMXywxgzZmSDo4LSs3Xs3dRk7eIPTQ7iY08wX2c5uJYfXs1deFIRaJPxsA0X3
BH2SAL1kpesU0Qk1YZGnPLtja8c4jzvWKx31EI2v0uASiwBMdswu4FL78/dq19AB
sqeW4xjmvCK2Yp9IEBp1oo0oTlfBrrl6dbnrwVFC0yBaJBAdCzlsO/oEm0VP5AKO
CqPNW3N1JAQIg0hplXq+2gLMXA7SNzxRLh0rTDRQ19mow47fDmk=
=Fo0i
—–END PGP SIGNATURE—–

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

APPLE-SA-2018-7-23-2 Additional information for
APPLE-SA-2018-06-01-1 macOS High Sierra 10.13.5, Security Update
2018-003 Sierra, Security Update 2018-003 El Capitan

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, and
Security Update 2018-003 El Capitan address the following:

Accessibility Framework
Available for: macOS High Sierra 10.13.4
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: An information disclosure issue existed in Accessibility
Framework. This issue was addressed with improved memory management.
CVE-2018-4196: G. Geshev working with Trend Micro’s Zero Day
Initiative, an anonymous researcher

AMD
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2018-4253: shrek_wzw of Qihoo 360 Nirvan Team

apache_mod_php
Available for: macOS High Sierra 10.13.4
Impact: Issues in php were addressed in this update
Description: This issue was addressed by updating to php version
7.1.16.
CVE-2018-7584: Wei Lei and Liu Yang of Nanyang Technological
University

ATS
Available for: macOS High Sierra 10.13.4
Impact: A malicious application may be able to elevate privileges
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4219: Mohamed Ghannam (@_simo36)

Bluetooth
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: A malicious application may be able to determine kernel
memory layout.
Description: An information disclosure issue existed in device
properties. This issue was addressed with improved object management.
CVE-2018-4171: shrek_wzw of Qihoo 360 Nirvan Team

Bluetooth
Available for: MacBook Pro (Retina, 15-inch, Mid 2015), MacBook Pro
(Retina, 15-inch, 2015), MacBook Pro (Retina, 13-inch, Early 2015),
MacBook Pro (15-inch, 2017), MacBook Pro (15-inch, 2016),
MacBook Pro (13-inch, Late 2016, Two Thunderbolt 3 Ports),
MacBook Pro (13-inch, Late 2016, Four Thunderbolt 3 Ports),
MacBook Pro (13-inch, 2017, Four Thunderbolt 3 Ports),
MacBook (Retina, 12-inch, Early 2016), MacBook
(Retina, 12-inch, Early 2015), MacBook (Retina, 12-inch, 2017),
iMac Pro, iMac (Retina 5K, 27-inch, Late 2015), iMac
(Retina 5K, 27-inch, 2017), iMac (Retina 4K, 21.5-inch, Late 2015),
iMac (Retina 4K, 21.5-inch, 2017), iMac (21.5-inch, Late 2015), and
iMac (21.5-inch, 2017)
Impact: An attacker in a privileged network position may be able to
intercept Bluetooth traffic
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2018-5383: Lior Neumann and Eli Biham
Entry added July 23, 2018

Firmware
Available for: macOS High Sierra 10.13.4
Impact: A malicious application with root privileges may be able to
modify the EFI flash memory region
Description: A device configuration issue was addressed with an
updated configuration.
CVE-2018-4251: Maxim Goryachy and Mark Ermolov

FontParser
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.4
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team

Grand Central Dispatch
Available for: macOS High Sierra 10.13.4
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An issue existed in parsing entitlement plists. This
issue was addressed with improved input validation.
CVE-2018-4229: Jakob Rieck (@0xdead10cc) of the Security in
Distributed Systems Group, University of Hamburg

Graphics Drivers
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.4
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4159: Axis and pjf of IceSword Lab of Qihoo 360

Hypervisor
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team

iBooks
Available for: macOS High Sierra 10.13.4
Impact: An attacker in a privileged network position may be able to
spoof password prompts in iBooks
Description: An input validation issue was addressed with improved
input validation.
CVE-2018-4202: Jerry Decime

Intel Graphics Driver
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2018-4141: an anonymous researcher, Zhao Qixun (@S0rryMybad) of
Qihoo 360 Vulcan Team

IOFireWireAVC
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2018-4228: Benjamin Gnahm (@mitp0sh) of Mentor Graphics

IOGraphics
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4236: Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team

IOHIDFamily
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4234: Proteas of Qihoo 360 Nirvan Team

Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.4
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A denial of service issue was addressed with improved
validation.
CVE-2018-4249: Kevin Backhouse of Semmle Ltd.

Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: In some circumstances, some operating systems may not
expect or properly handle an Intel architecture debug exception after
certain instructions. The issue appears to be from an undocumented
side effect of the instructions. An attacker might utilize this
exception handling to gain access to Ring 0 and access sensitive
memory or control operating system processes.
CVE-2018-8897: Andy Lutomirski, Nick Peterson
(linkedin.com/in/everdox) of Everdox Tech LLC

Kernel
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2018-4241: Ian Beer of Google Project Zero
CVE-2018-4243: Ian Beer of Google Project Zero

libxpc
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved validation.
CVE-2018-4237: Samuel Groß (@5aelo) working with Trend Micro’s Zero
Day Initiative

Mail
Available for: macOS High Sierra 10.13.4
Impact: An attacker may be able to exfiltrate the contents of
S/MIME-encrypted e-mail
Description: An issue existed in the handling of encrypted Mail. This
issue was addressed with improved isolation of MIME in Mail.
CVE-2018-4227: Damian Poddebniak of Münster University of Applied
Sciences, Christian Dresen of Münster University of Applied Sciences
, Jens Müller of Ruhr University Bochum, Fabian Ising of Münster
University of Applied Sciences, Sebastian Schinzel of Münster
University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj
Somorovsky of Ruhr University Bochum, Jörg Schwenk of Ruhr
University Bochum

Messages
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to conduct impersonation attacks
Description: An injection issue was addressed with improved input
validation.
CVE-2018-4235: Anurodh Pokharel of Salesforce.com

Messages
Available for: macOS High Sierra 10.13.4
Impact: Processing a maliciously crafted message may lead to a denial
of service
Description: This issue was addressed with improved message
validation.
CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd

NVIDIA Graphics Drivers
Available for: macOS High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2018-4230: Ian Beer of Google Project Zero

Security
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to read a persistent account
identifier
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4223: Abraham Masri (@cheesecakeufo)

Security
Available for: macOS High Sierra 10.13.4
Impact: Users may be tracked by malicious websites using client
certificates
Description: An issue existed in the handling of S-MIME
certificaties. This issue was addressed with improved validation of
S-MIME certificates.
CVE-2018-4221: Damian Poddebniak of Münster University of Applied
Sciences, Christian Dresen of Münster University of Applied Sciences
, Jens Müller of Ruhr University Bochum, Fabian Ising of Münster
University of Applied Sciences, Sebastian Schinzel of Münster
University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj
Somorovsky of Ruhr University Bochum, Jörg Schwenk of Ruhr
University Bochum

Security
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to read a persistent device
identifier
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4224: Abraham Masri (@cheesecakeufo)

Security
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to modify the state of the Keychain
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4225: Abraham Masri (@cheesecakeufo)

Security
Available for: macOS High Sierra 10.13.4
Impact: A local user may be able to view sensitive user information
Description: An authorization issue was addressed with improved state
management.
CVE-2018-4226: Abraham Masri (@cheesecakeufo)

Speech
Available for: macOS High Sierra 10.13.4
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A sandbox issue existed in the handling of microphone
access. This issue was addressed with improved handling of microphone
access.
CVE-2018-4184: Jakob Rieck (@0xdead10cc) of the Security in
Distributed Systems Group, University of Hamburg

UIKit
Available for: macOS High Sierra 10.13.4
Impact: Processing a maliciously crafted text file may lead to a
denial of service
Description: A validation issue existed in the handling of text. This
issue was addressed with improved validation of text.
CVE-2018-4198: Hunter Byrnes

Windows Server
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS
High Sierra 10.13.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4193: Markus Gaasedelen, Nick Burnett, and Patrick Biernat
of Ret2 Systems, Inc working with Trend Micro’s Zero Day Initiative,
Richard Zhu (fluorescence) working with Trend Micro’s Zero Day
Initiative

Installation note:

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, and
Security Update 2018-003 El Capitan may be obtained from the
Mac App Store or Apple’s Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUsfgACgkQ8ecVjteJ
iCafWxAAhgLQIu5BifHdgdN31zuPc8tIhsIAuDiAOXJX9JopRhlbs9KrQCNdz/x2
qDiCmneKttwVIhu9Os3WHLNrSxiWCphz7zhD2WIhN3H7/eF9CE2Po8BJHeZGm22K
grdfcc27eGN8AusFxRZ1HfhtCToDVNVDkbwO2nnZ0odEO1cZS8Ray2vcgcX0tRD/
X44amocIlVmC67GgwCH4+MSCdjyXcr6HSYiUcRSOuUFTWD3Q6FF3w5CfS6DMb3UO
eUUJxExueT82InZHpL6qeuQprncqsJdtZqvK++YlAfMiFm6ePJHS4sQpvoxHIWv5
yDycGl0hc+pzO8icM1ayTFh8Ei+Txv69QKdUC8rTdiqvFh4/Le4dbh4rcmP3EXb5
JMaeIuuB7Pvvm2YXoRjz0HhIG6874lci7YX0fS/+IbkSuadd4F6TOiMnFNnO9IuC
jvu9/f/+HA3e7meFA4Ori4TKW6UALPgpl9X6ohCzFDRVD7kHHmmWn4sCgcnovr8Q
BJZCapHtS7cS6vGHk0auj2wLgeEUbyRGhI3F1WPIm/+e6y+cAiWqBmUBjVTOp5S+
KZEtw/BaRjFbgx97hwB+QA0AY8yzevAQMdyzqanUNhGCfWp3WfChUNESmRdrNUWy
HDu7kphbN9EUETBHBEdA7ZE4qsP+70a6JTJ+SZ+7vB+YkrOabLU=
=kM8d
—–END PGP SIGNATURE—–

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)