VARIoT IoT vulnerabilities database

Buffer overflow in video.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload (without authentication). TRENDnet TV-IP110WN and TV-IP121WN The device contains a buffer error vulnerability.Information may be tampered with. TRENDnetTV-IP110WN is a wireless internet surveillance camera. The TRENDnetTV-IP121WN is a network camera solution for surveillance. There are BoF vulnerabilities in TRENDnetTV-IP110WN and TV-IP121WN. An attacker could use a POST request to deliver its payload to trigger a BoF vulnerability in the \"url\" parameter without authentication. ########################################### Vulnerabilities found in TRENDnet devices Authors:Prashast Srivastava, Mathias Payer Howard Shrobe, Hamed Okhravi Author contact: https://github.com/prashast/ ########################################### Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices: Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP IP-Cameras: TV-IP110WN, TV-IP121WN These were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. A more detailed breakdown is presented below on a per vulnerability basis:- Command Injection ------------------ CVE-ID: CVE-2018-19239 Product: TEW-673GRU Module affected: `start_arpping` function in `timer` binary Firmware version: v1.00b40 TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vulnerability in the `start_arpping` function of the `timer binary`, which allows remote attackers to execute arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and lan_ipaddr) passed to the apply.cgi binary through a POST request. Exploiting the vulnerability requires a user to be authenticated with the router with administrative credentials. The `start_arpping` function reads the following values from the NVRAM namely: dhcpd_start, dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then passed to the `arpping` utility without any sort of sanity checks. Out of these values, the outward facing configuration webserver(httpd) running at `IP:192.168.10.1 Port: 80` allows a user to modify the first three values `dhcpd_start`, `dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration webpage available at `http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi` binary with the appropriate parameters. We have observed that the by directly making a POST request to the `apply.cgi` binary with the values of the above mentioned three parameters containing Command Injection based payloads, it is possible to execute arbitrary commands on the router with root privileges. A sub-routine respondAsp is called that copies a user-controlled parameter into a stack variable using strcpy without any bounds check. Reflective XSS --------------- Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) - TEW-634GRU (v1.01B14) Module affected: `login.cgi` `Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a reflected XSS vulnerability that does not require any authentication. Vendor Disclosure ------------------ The vulnerabilities had been notified to the vendor 12/03. The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices

TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vulnerability in the start_arpping function of the timer binary, which allows remote attackers to execute arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and lan_ipaddr) passed to the apply.cgi binary through a POST request. TRENDnet TEW-673GRU The device includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The TRENDnetTEW-673GRU is a dual-band green router. There is a command injection vulnerability in TRENDnetTEW-673GRU. ########################################### Vulnerabilities found in TRENDnet devices Authors:Prashast Srivastava, Mathias Payer Howard Shrobe, Hamed Okhravi Author contact: https://github.com/prashast/ ########################################### Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices: Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP IP-Cameras: TV-IP110WN, TV-IP121WN These were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. Exploiting the vulnerability requires a user to be authenticated with the router with administrative credentials. The `start_arpping` function reads the following values from the NVRAM namely: dhcpd_start, dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then passed to the `arpping` utility without any sort of sanity checks. Out of these values, the outward facing configuration webserver(httpd) running at `IP:192.168.10.1 Port: 80` allows a user to modify the first three values `dhcpd_start`, `dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration webpage available at `http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi` binary with the appropriate parameters. Buffer Overflows ------------------ CVE-ID: CVE-2018-19240 Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `network.cgi` Buffer overflow can be exploited by using the `iptype` parameter in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload (without authentication) x-----------x CVE-ID: CVE-2018-19241 Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `video.cgi` A BoF vulnerability exists in the CGI binary which can modify the quality of the video recorded on the camera. A sub-routine respondAsp is called that copies a user-controlled parameter into a stack variable using strcpy without any bounds check. This makes the subroutine vulnerable to BoF and can be exploited without authentication x-----------x Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `watch.cgi` A BoF vulnerability exists in the `watch.cgi` binary and how it handles the `url` parameter. An attacker can deliver its payload using a POST request in the `url` parameter to trigger the BoF vulnerability without authentication. x-----------x CVE-ID: CVE-2018-19242 Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) Module affected: `apply.cgi` Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRU devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload(with authentication). Reflective XSS --------------- Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) - TEW-634GRU (v1.01B14) Module affected: `login.cgi` `Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a reflected XSS vulnerability that does not require any authentication. Vendor Disclosure ------------------ The vulnerabilities had been notified to the vendor 12/03. The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices

An issue was discovered on KT MC01507L Z-Wave S0 devices. It occurs because HPKP is not implemented. The communication architecture is APP > Server > Controller (HUB) > Node (products which are controlled by HUB). The prerequisite is that the attacker is on the same network as the target HUB, and can use IP Changer to change destination IP addresses (of all packets whose destination IP address is Server) to a proxy-server IP address. This allows sniffing of cleartext between Server and Controller. The cleartext command data is transmitted to Controller using the proxy server's fake certificate, and it is able to control each Node of the HUB. Also, by operating HUB in Z-Wave Pairing Mode, it is possible to obtain the Z-Wave network key. There is a security vulnerability in KT MC01507L Z-Wave S0, which is caused by the program not enabling the HPKP mechanism. A local attacker could exploit this vulnerability to sniff the plaintext between the server and the controller and obtain the Z-Wave network key

UNIFI SDN Controller is an SDN controller produced by Ubiquiti Network. A code execution vulnerability exists in the UNIFI SDN Controller. An attacker could use this vulnerability to execute arbitrary code.

An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 Security version product by continuously sending divided "Nonce Get (0x98 0x81)" frames. The reason for dividing the "Nonce Get" frame is that, in security version S0, when a node receives a "Nonce Get" frame, the node produces a random new nonce and sends it to the Src node of the received "Nonce Get" frame. After the nonce value is generated and transmitted, the node transitions to wait mode. At this time, when "Nonce Get" is received again, the node discards the previous nonce value and generates a random nonce again. Therefore, because the frame is encrypted with previous nonce value, the received normal frame cannot be decrypted. are power management devices. A local attacker could exploit this vulnerability to prevent the device from decrypting received normal frames

The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm. GNU Binutils Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. GNU Binutils is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service condition, denying service to legitimate users. GNU Binutils 2.31 is vulnerable; other versions may also be affected. Archive tools. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201908-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Binutils: Multiple vulnerabilities Date: August 03, 2019 Bugs: #672904, #672910, #674668, #682698, #682702 ID: 201908-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in Binutils, the worst of which may allow remote attackers to cause a Denial of Service condition. Background ========= The GNU Binutils are a collection of tools to create, modify and analyse binary files. Many of the files use BFD, the Binary File Descriptor library, to do low-level manipulation. Please review the referenced CVE identifiers for details. Impact ===== A remote attacker, by enticing a user to compile/execute a specially crafted ELF, object, PE, or binary file, could possibly cause a Denial of Service condition or have other unspecified impacts. Workaround ========= There is no known workaround at this time. Resolution ========= All Binutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.32-r1" References ========= [ 1 ] CVE-2018-10372 https://nvd.nist.gov/vuln/detail/CVE-2018-10372 [ 2 ] CVE-2018-10373 https://nvd.nist.gov/vuln/detail/CVE-2018-10373 [ 3 ] CVE-2018-10534 https://nvd.nist.gov/vuln/detail/CVE-2018-10534 [ 4 ] CVE-2018-10535 https://nvd.nist.gov/vuln/detail/CVE-2018-10535 [ 5 ] CVE-2018-12641 https://nvd.nist.gov/vuln/detail/CVE-2018-12641 [ 6 ] CVE-2018-12697 https://nvd.nist.gov/vuln/detail/CVE-2018-12697 [ 7 ] CVE-2018-12698 https://nvd.nist.gov/vuln/detail/CVE-2018-12698 [ 8 ] CVE-2018-12699 https://nvd.nist.gov/vuln/detail/CVE-2018-12699 [ 9 ] CVE-2018-12700 https://nvd.nist.gov/vuln/detail/CVE-2018-12700 [ 10 ] CVE-2018-13033 https://nvd.nist.gov/vuln/detail/CVE-2018-13033 [ 11 ] CVE-2018-19931 https://nvd.nist.gov/vuln/detail/CVE-2018-19931 [ 12 ] CVE-2018-19932 https://nvd.nist.gov/vuln/detail/CVE-2018-19932 [ 13 ] CVE-2018-20002 https://nvd.nist.gov/vuln/detail/CVE-2018-20002 [ 14 ] CVE-2018-20651 https://nvd.nist.gov/vuln/detail/CVE-2018-20651 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201908-01 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService. Anker Nebula Capsule Pro Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. AnkerNebulaCapsulePro is a projector device from AnkerInnovations, USA. A security vulnerability exists in the AnkerNebulaCapsuleProNBUI_M1_V2.1.9 release

IBM DataPower Gateway 7.1.0.0 through 7.1.0.19, 7.2.0.0 through 7.2.0.16, 7.5.0.0 through 7.5.0.10, 7.5.1.0 through 7.5.1.9, 7.5.2.0 through 7.5.2.9, and 7.6.0.0 through 7.6.0.2 and IBM MQ Appliance 8.0.0.0 through 8.0.0.8 and 9.0.1 through 9.0.5 could allow a local user to cause a denial of service through unknown vectors. IBM X-Force ID: 144724. Vendors have confirmed this vulnerability IBM X-Force ID: 144724 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause a denial-of-service condition. IBM DataPower Gateway is a secure and integrated platform designed for mobile, cloud, application programming interface (API), web, service-oriented architecture (SOA), B2B and cloud workloads. MQ Appliance is an all-in-one device for rapid deployment of enterprise-level messaging middleware. The following products and versions are affected: IBM DataPower Gateway Version 7.1.0.0 to Version 7.1.0.19, Version 7.2.0.0 to Version 7.2.0.16, Version 7.5.0.0 to Version 7.5.0.10, Version 7.5.1.0 to Version 7.5.1.9, Version 7.5.2.0 to version 7.5.2.9, version 7.6.0.0 to version 7.6.0.2; MQ Appliance version 8.0.0.0 to version 8.0.0.8, version 9.0.1 to version 9.0.5

ZTE C520 is a smart Wi-Fi care camera. ZTE C520 smart camera has authentication flaws. The vulnerability is because the smart camera requires user name and password authentication to log in, view images and parameter settings. At the same time, authentication after login is based on IP, that is, as long as an IP is logged in with an account, the IP will automatically authorize access to the management background. Attackers can use the vulnerability to randomly call the management background and perform various operations.

ZTE C520 is a smart Wi-Fi care camera. ZTE C520 smart camera has a directory crossing vulnerability. An attacker could exploit the vulnerability to read arbitrary files.

The Goodix GT9xx touchscreen driver for custom Linux kernels on Xiaomi daisy-o-oss and daisy-p-oss as used in Mi A2 Lite and RedMi6 pro devices through 2018-08-27 has a NULL pointer dereference in kfree after a kmalloc failure in gtp_read_Color in drivers/input/touchscreen/gt917d/gt9xx.c. Xiaomi Mi A2 Lite and RedMi6 pro are both smart phones of China Xiaomi Technology (Xiaomi). The vulnerability stems from the problem of improper design or implementation in the code development process of network systems or products. An attacker could use this vulnerability to cause a denial of service (null pointer retrograde reference)

All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges. ZTE ZXIN10 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTE ZXIN10 is a comprehensive intelligent network system developed by China ZTE Corporation (ZTE). The system mainly provides cross-network intelligent network services for fixed network users, GSM and CDMA mobile network users and paging network users

An exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. This is similar to CVE-2017-12120. Moxa NPort W2x50A Product firmware includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa NPort W2x50A is a serial communication server used by Moxa to connect industrial serial devices to the network

XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0. GE Proficy Cimplicity GDS Is XML An external entity vulnerability exists.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions. Versions prior to Global Discovery Server 2.1 are vulnerable

Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the 'TodUrlAdd' URL parameter in a /urlfilter.cmd POST request. Actiontec C1000A The router firmware contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Actiontec C1000A is a wireless router product of Actiontec Electronics in the United States

Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address. Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules Is vulnerable to a lack of authentication for critical functions.Service operation interruption (DoS) There is a possibility of being put into a state. Rockwell Automation MicroLogix 1400 Controllers Series A, etc. are programmable logic controllers of Rockwell Automation in the United States. An attacker can exploit this issue to modify system settings to cause a denial-of-service condition. The following products are vulnerable: MicroLogix 1400 Controllers 1756 ControlLogix EtherNet/IP Communications Modules. The following products and versions are affected: MicroLogix 1400 Controllers Series A (all versions), Series B 21.003 and earlier, Series C 21.003 and earlier; 1756-ENBT (all versions), 1756-EWEB Series A (all versions), 1756 -EWEB Series B (all versions), 1756-EN2F Series A (all versions), 1756-EN2F Series B (all versions), 1756-EN2F Series C 10.10 and earlier, 1756-EN2T Series A (all versions), 1756 -EN2T Series B (all versions), 1756-EN2T Series C (all versions), 1756-EN2T 10.10 and earlier, 1756-EN2TR Series A (all versions), 1756-EN2TR Series B (all versions), Series C 10.10 1756-EN3TR Series A (all versions), 1756-EN3TR Series B 10.10 and earlier (1756 ControlLogix EtherNet/IP communication module)

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. FreeSWITCH Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. The mod_xml_rpc module is one of the modules that supports triggering the API from the web control. There is a security vulnerability in the mod_xml_rpc module in FreeSWITCH 1.8.2 and earlier versions

A logic issue was addressed with improved validation. This issue affected versions prior to iOS 12.1.1, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Privilege escalation * Access restriction avoidance * Arbitrary code execution * Service operation interruption (DoS) * information leak * Incorrect configuration profile usage * UI Spoofing * Address bar impersonation. plural Apple There is a logic vulnerability in the product due to a lack of input validation.Information may be tampered with. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that comes with the default browser on MacOSX and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple iTunes for Windows is a media player application based on the Windows platform. A security vulnerability exists in the Safari component of several Apple products. An attacker could exploit this vulnerability by using a specially crafted website to forge the user interface. CVE-2018-4438: lokihardt of Google Project Zero Installation note: Safari 12.0.2 may be obtained from the Mac App Store. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-12-05-1 iOS 12.1.1 iOS 12.1.1 is now available and addresses the following: Airport Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4303: Mohamed Ghannam (@_simo36) Disk Images Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4465: Pangu Team FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local attacker may be able to view contacts from the lock screen Description: A lock screen issue allowed access to contacts on a locked device. CVE-2018-4430: videosdebarraquito File Provider Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to learn information about the presence of other applications on the device Description: This issue was addressed with improved entitlements. CVE-2018-4446: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin CarabaE and RAzvan Deaconescu of University POLITEHNICA of Bucharest Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed by removing the vulnerable code. CVE-2018-4460: Kevin Backhouse of Semmle Security Research Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4431: An independent security researcher has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved restrictions. CVE-2018-4435: Jann Horn of Google Project Zero, Juwei Lin(@panicaII) and Junzhi Lu of TrendMicro Mobile Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2018-4447: Juwei Lin(@panicaII) and Zhengyu Dong of TrendMicro Mobile Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4461: Ian Beer of Google Project Zero LinkPresentation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted email may lead to user interface spoofing Description: A spoofing issue existed in the handling of URLs. CVE-2018-4429: Victor Le Pochat of imec-DistriNet, KU Leuven Profiles Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An untrusted configuration profile may be incorrectly displayed as verified Description: A certificate validation issue existed in configuration profiles. This was addressed with additional checks. CVE-2018-4436: James Seeley @Code4iOS, Joseph S. of Wyong High School Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to user interface spoofing Description: A logic issue was addressed with improved validation. CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A logic issue was addressed with improved state management. CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may be unable to fully delete browsing history Description: "Clear History and Website Data" did not clear the history. CVE-2018-4445: William Breuer WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4441: lokihardt of Google Project Zero CVE-2018-4442: lokihardt of Google Project Zero CVE-2018-4443: lokihardt of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A logic issue existed resulting in memory corruption. CVE-2018-4438: lokihardt of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea Additional recognition Profiles We would like to acknowledge Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin CarabaE and RAzvan Deaconescu of University POLITEHNICA of Bucharest for their assistance. SafariViewController We would like to acknowledge YiAit Can YILMAZ (@yilmazcanyigit) for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.1.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlwINzopHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3F1FhAA vJoYbLbK0j4TDxVDWzcyTTNdF/B2vaz3Ljw8WpsYmJaMazHxsvRe3UfqBdbz1hGL 8hYBqdnjh+O9qck61tCWfH3A8f284onjL2XYdJC1NaRHr6pnJNJYU7peaavxbEty sduSMVImtPl8s9LROC0qpldpGWiRlORXUa3HZ7FDoagsy6BWW6J0srFIzylhyqZ4 LxOZ/zWJE7J50dGRA2ixGT42OgeZhVJjJTSazA44pFepfSPYEogt57A3h3sfRHIg 8Yj4rOeK+u92UqA4cTTaUwN+OZgy1HuL33tKFduYQU7IXxpNKoqL+HR0LR+HZ53O lLjOCAaxrEV4kWAMB5zt41JcFJu9fNfoCFG3jc+HQnlXfjP9/IZ/hH5vAQju8TO8 JKs3Om1BdMc+UVm1JhdmxNGB3I1bE5TllyanfU2B7LR/RGXNYbnE0ibEiuTtwX1x hZN6a2MV3dBJajCeLT/t7tMiaHYbJ44KBLIRpnzvzbY2tSLjyWAxA/xpfFBSPCwM mGJo8uWj6KcgiM4rHEgas3FVK/9BRvDj7mpP+tYuMA5wTuJPZOsa2kMiIXcgjaLB ykPlc/1GYrzkK9lRTXfu6y8+J1ngx1QGX5tMv7HyrdvCdp9c5OIOA3G9iVCUwRNr i10Ydh86HYDDPjbsGhNH+CT3fWnoFyYNg7F05Y+4piY= =aFkK -----END PGP SIGNATURE-----

Multiple memory corruption issues were addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A buffer error vulnerability exists in the WebKit component of several Apple products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. CVE-2018-4438: lokihardt of Google Project Zero Installation note: Safari 12.0.2 may be obtained from the Mac App Store. CVE-2018-4438: lokihardt of Google Project Zero Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". ------------------------------------------------------------------------ WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0009 ------------------------------------------------------------------------ Date reported : December 13, 2018 Advisory ID : WSA-2018-0009 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0009.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0009.html CVE identifiers : CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4437 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4438 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4441 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4442 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4443 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4464 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Processing maliciously crafted web content may lead to arbitrary code execution. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, December 13, 2018 . ========================================================================== Ubuntu Security Notice USN-3854-1 January 10, 2019 webkit2gtk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.10 - Ubuntu 18.04 LTS Summary: Several security issues were fixed in WebKitGTK+. Software Description: - webkit2gtk: Web content engine library for GTK+ Details: A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10: libjavascriptcoregtk-4.0-18 2.22.5-0ubuntu0.18.10.1 libwebkit2gtk-4.0-37 2.22.5-0ubuntu0.18.10.1 Ubuntu 18.04 LTS: libjavascriptcoregtk-4.0-18 2.22.5-0ubuntu0.18.04.1 libwebkit2gtk-4.0-37 2.22.5-0ubuntu0.18.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3854-1 CVE-2018-4437 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.5-0ubuntu0.18.10.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.5-0ubuntu0.18.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-12-05-1 iOS 12.1.1 iOS 12.1.1 is now available and addresses the following: Airport Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4303: Mohamed Ghannam (@_simo36) Disk Images Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4465: Pangu Team FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local attacker may be able to view contacts from the lock screen Description: A lock screen issue allowed access to contacts on a locked device. CVE-2018-4430: videosdebarraquito File Provider Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to learn information about the presence of other applications on the device Description: This issue was addressed with improved entitlements. CVE-2018-4446: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin CarabaE and RAzvan Deaconescu of University POLITEHNICA of Bucharest Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed by removing the vulnerable code. CVE-2018-4460: Kevin Backhouse of Semmle Security Research Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4431: An independent security researcher has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved restrictions. CVE-2018-4435: Jann Horn of Google Project Zero, Juwei Lin(@panicaII) and Junzhi Lu of TrendMicro Mobile Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2018-4447: Juwei Lin(@panicaII) and Zhengyu Dong of TrendMicro Mobile Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4461: Ian Beer of Google Project Zero LinkPresentation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted email may lead to user interface spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2018-4429: Victor Le Pochat of imec-DistriNet, KU Leuven Profiles Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An untrusted configuration profile may be incorrectly displayed as verified Description: A certificate validation issue existed in configuration profiles. This was addressed with additional checks. CVE-2018-4436: James Seeley @Code4iOS, Joseph S. of Wyong High School Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to user interface spoofing Description: A logic issue was addressed with improved validation. CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A logic issue was addressed with improved state management. CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may be unable to fully delete browsing history Description: "Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. CVE-2018-4445: William Breuer WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4441: lokihardt of Google Project Zero CVE-2018-4442: lokihardt of Google Project Zero CVE-2018-4443: lokihardt of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management. CVE-2018-4438: lokihardt of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea Additional recognition Profiles We would like to acknowledge Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin CarabaE and RAzvan Deaconescu of University POLITEHNICA of Bucharest for their assistance. SafariViewController We would like to acknowledge YiAit Can YILMAZ (@yilmazcanyigit) for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.1.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlwINzopHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3F1FhAA vJoYbLbK0j4TDxVDWzcyTTNdF/B2vaz3Ljw8WpsYmJaMazHxsvRe3UfqBdbz1hGL 8hYBqdnjh+O9qck61tCWfH3A8f284onjL2XYdJC1NaRHr6pnJNJYU7peaavxbEty sduSMVImtPl8s9LROC0qpldpGWiRlORXUa3HZ7FDoagsy6BWW6J0srFIzylhyqZ4 LxOZ/zWJE7J50dGRA2ixGT42OgeZhVJjJTSazA44pFepfSPYEogt57A3h3sfRHIg 8Yj4rOeK+u92UqA4cTTaUwN+OZgy1HuL33tKFduYQU7IXxpNKoqL+HR0LR+HZ53O lLjOCAaxrEV4kWAMB5zt41JcFJu9fNfoCFG3jc+HQnlXfjP9/IZ/hH5vAQju8TO8 JKs3Om1BdMc+UVm1JhdmxNGB3I1bE5TllyanfU2B7LR/RGXNYbnE0ibEiuTtwX1x hZN6a2MV3dBJajCeLT/t7tMiaHYbJ44KBLIRpnzvzbY2tSLjyWAxA/xpfFBSPCwM mGJo8uWj6KcgiM4rHEgas3FVK/9BRvDj7mpP+tYuMA5wTuJPZOsa2kMiIXcgjaLB ykPlc/1GYrzkK9lRTXfu6y8+J1ngx1QGX5tMv7HyrdvCdp9c5OIOA3G9iVCUwRNr i10Ydh86HYDDPjbsGhNH+CT3fWnoFyYNg7F05Y+4piY= =aFkK -----END PGP SIGNATURE-----

A logic issue existed resulting in memory corruption. This was addressed with improved state management. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9. Apple Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Privilege escalation * Access restriction avoidance * Arbitrary code execution * Service operation interruption (DoS) * information leak * Incorrect configuration profile usage * UI Spoofing * Address bar impersonation. plural Apple The product is flawed with logic related to state management, so there is a logic vulnerability.The memory may be damaged. Apple iOS, etc. are all products of Apple (Apple). Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. Apple iTunes for Windows is a media player application based on the Windows platform. WebKit is one of the web browser engine components. A buffer error vulnerability exists in the WebKit component of several Apple products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. CVE-2018-4438: lokihardt of Google Project Zero Installation note: Safari 12.0.2 may be obtained from the Mac App Store. CVE-2018-4438: lokihardt of Google Project Zero Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". ------------------------------------------------------------------------ WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0009 ------------------------------------------------------------------------ Date reported : December 13, 2018 Advisory ID : WSA-2018-0009 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0009.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0009.html CVE identifiers : CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4437 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4438 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4441 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4442 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4443 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2018-4464 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Processing maliciously crafted web content may lead to arbitrary code execution. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, December 13, 2018 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-12-05-1 iOS 12.1.1 iOS 12.1.1 is now available and addresses the following: Airport Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4303: Mohamed Ghannam (@_simo36) Disk Images Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4465: Pangu Team FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local attacker may be able to view contacts from the lock screen Description: A lock screen issue allowed access to contacts on a locked device. CVE-2018-4430: videosdebarraquito File Provider Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to learn information about the presence of other applications on the device Description: This issue was addressed with improved entitlements. CVE-2018-4446: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin CarabaE and RAzvan Deaconescu of University POLITEHNICA of Bucharest Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed by removing the vulnerable code. CVE-2018-4460: Kevin Backhouse of Semmle Security Research Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4431: An independent security researcher has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved restrictions. CVE-2018-4435: Jann Horn of Google Project Zero, Juwei Lin(@panicaII) and Junzhi Lu of TrendMicro Mobile Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2018-4447: Juwei Lin(@panicaII) and Zhengyu Dong of TrendMicro Mobile Security Team Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4461: Ian Beer of Google Project Zero LinkPresentation Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted email may lead to user interface spoofing Description: A spoofing issue existed in the handling of URLs. CVE-2018-4429: Victor Le Pochat of imec-DistriNet, KU Leuven Profiles Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An untrusted configuration profile may be incorrectly displayed as verified Description: A certificate validation issue existed in configuration profiles. This was addressed with additional checks. CVE-2018-4436: James Seeley @Code4iOS, Joseph S. of Wyong High School Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to user interface spoofing Description: A logic issue was addressed with improved validation. CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: A logic issue was addressed with improved state management. CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com) Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may be unable to fully delete browsing history Description: "Clear History and Website Data" did not clear the history. CVE-2018-4445: William Breuer WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4441: lokihardt of Google Project Zero CVE-2018-4442: lokihardt of Google Project Zero CVE-2018-4443: lokihardt of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A logic issue existed resulting in memory corruption. CVE-2018-4438: lokihardt of Google Project Zero WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea Additional recognition Profiles We would like to acknowledge Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin CarabaE and RAzvan Deaconescu of University POLITEHNICA of Bucharest for their assistance. SafariViewController We would like to acknowledge YiAit Can YILMAZ (@yilmazcanyigit) for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.1.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlwINzopHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3F1FhAA vJoYbLbK0j4TDxVDWzcyTTNdF/B2vaz3Ljw8WpsYmJaMazHxsvRe3UfqBdbz1hGL 8hYBqdnjh+O9qck61tCWfH3A8f284onjL2XYdJC1NaRHr6pnJNJYU7peaavxbEty sduSMVImtPl8s9LROC0qpldpGWiRlORXUa3HZ7FDoagsy6BWW6J0srFIzylhyqZ4 LxOZ/zWJE7J50dGRA2ixGT42OgeZhVJjJTSazA44pFepfSPYEogt57A3h3sfRHIg 8Yj4rOeK+u92UqA4cTTaUwN+OZgy1HuL33tKFduYQU7IXxpNKoqL+HR0LR+HZ53O lLjOCAaxrEV4kWAMB5zt41JcFJu9fNfoCFG3jc+HQnlXfjP9/IZ/hH5vAQju8TO8 JKs3Om1BdMc+UVm1JhdmxNGB3I1bE5TllyanfU2B7LR/RGXNYbnE0ibEiuTtwX1x hZN6a2MV3dBJajCeLT/t7tMiaHYbJ44KBLIRpnzvzbY2tSLjyWAxA/xpfFBSPCwM mGJo8uWj6KcgiM4rHEgas3FVK/9BRvDj7mpP+tYuMA5wTuJPZOsa2kMiIXcgjaLB ykPlc/1GYrzkK9lRTXfu6y8+J1ngx1QGX5tMv7HyrdvCdp9c5OIOA3G9iVCUwRNr i10Ydh86HYDDPjbsGhNH+CT3fWnoFyYNg7F05Y+4piY= =aFkK -----END PGP SIGNATURE-----