ID

VAR-201806-1457

CVE

CVE-2018-4205

TITLE

Apple Safari of Safari Component address bar spoofing vulnerability

DESCRIPTION

An issue was discovered in certain Apple products. Safari before 11.1.1 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar via a crafted web site. This may allow a remote attacker to carry out phishing-style attacks. Versions prior to Safari 11.1.1 are vulnerable. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-06-01-2 Safari 11.1.1 Safari 11.1.1 is now available and addresses the following: Safari Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: A malicious website may be able to cause a denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-4247: FranASSois Renaud, Jesse Viviano of Verizon Enterprise Solutions Safari Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4205: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a maliciously crafted website may lead to cookies being overwritten Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions. CVE-2018-4232: an anonymous researcher, Aymeric Chaib WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4246: found by OSS-Fuzz WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A race condition was addressed with improved locking. CVE-2018-4192: Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4214: found by OSS-Fuzz WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4201: an anonymous researcher CVE-2018-4218: Natalie Silvanovich of Google Project Zero CVE-2018-4233: Samuel GroA (@5aelo) working with Trend Micro's Zero Day Initiative WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2018-4199: Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs working with Trend Micro's Zero Day Initiative WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a maliciously crafted website may leak sensitive data Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method. CVE-2018-4190: Jun Kokatsu (@shhnjk) WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4222: Natalie Silvanovich of Google Project Zero Installation note: Safari 11.1.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEWpnGpHhyhjM9LuGIyxcaHpDFUHMFAlsRa04pHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQyxcaHpDFUHOVEQ/+ P+thAL+hl4RuHIXCrfh/eZ+GgwPXDDVSPRefnHckiEMZSXpSDiTTu1JwWkgHf44l xwOqvFd56zSVo/gk/45FnOcpoXxcFuHk2ddJvZM4R4EaCwKW3PEcTIL+8klxyDWo 17HqxtfB32Gy6BSARcfTkXZ1/c4CfhQefYiU2JtLDui6iZLUzDEGWdQRf/Q0H8tx DNBVy1i5HGZdrZ6sgR7eKZKyuscqj9n0IbBUybPOQ37OFRfl8CYPT+XB6djgWGxo sLkZi+XYl/O/PXzQt9XfxkgKUjvvlR2hkt2mKTjFEUQDQIha4BkE2+1EdJZPNROz LRbMnxiAvY/7vb5a98h8nmXe3Z/Os/BZYyipMQjbMQt5BNkRHQK03prn7kd/g1F1 eKeplTnob9CDMcEbdnn5KvkdYcoyJFqcignVvGFJQupAU8+HJgneH4ky5laGkHY5 8JU98flmzwySOmqaTLNqfDKDQlH0Vz053KAyxZ1S8DKfmdG7ulB0lWeD02pL/vdB aAV5jI08/QpXasU2cbM0tHO1rPiYocXCSZJKNvFVlkP6z/l7hiGnJ50x1uG4eYX9 dY8K0wTe76q/co81DWUkvd+D7634tL0vmv9K3bpFoyPQJCzn2EPl97IYFcLdtGC7 NQRA+mye5jeky3zqYi5GZTuVWIqR8+I0vkYp4YHjli8= =LQMS -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

xisigr of Tencent's Xuanwu Lab (tencent.com)

SOURCES

LAST UPDATE DATE

2024-11-23T19:59:05.699000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE