Security News

Apple Releases Security Updates, Patches Camera App QR Code Flaw

Posted on April 25th, 2018 by

Apple software security updates

Apple has released iOS 11.3.1, Safari 11.1, and Security Update 2018-001 (available for macOS High Sierra 10.13.4). These software updates fix a handful of vulnerabilities, including macOS High Sierra and iOS 11's camera app QR code flaw.

Following are the most important details about each security update, and how or where to download the software.

iOS 11.3.1 and Security Update 2018-001

The primary focus of iOS 11.3.1 and Security Update 2018-001 is on the following vulnerabilities:

Crash Reporter
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved error handling.
CVE-2018-4206: Ian Beer of Google Project Zero

LinkPresentation
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)

We mentioned the name Roman Mueller a few weeks back, in a story describing his discovery of a QR Code vulnerability in iOS 11's camera app. Despite this flaw existing for nearly four months, known as CVE-2018-4187, Apple has finally come around to patching the vulnerability in iOS and macOS High Sierra.

iOS 11.3.1 also includes a few fixes for WebKit vulnerabilities and addresses a screen replacement issue in which touch input would become unresponsive on some iPhone 8 devices, because they were serviced with non-genuine replacement displays.

iOS 11.3.1 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. You can download the update over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

Security Update 2018-001 is available for any Mac running macOS High Sierra 10.13.4. You can download Security Update 2018-001 from the App Store under the Updates tab. You can also choose to download and install macOS High Sierra 10.13.4 and Security Update 2018-001 directly from Apple.com:

Safari 11.1

Safari 11.1 is an update available for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4. The update fixes two WebKit vulnerabilities, the same two that are part of iOS 11.3.1, namely:

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2018-4200: Ivan Fratric of Google Project Zero

Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4204: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative, found by OSS-Fuzz

Safari 11.1 is included in Security Update 2018-001 for High Sierra 10.13.4 users, and also available as a separate download for Sierra and El Capitan users from the App Store under the Updates tab.

As always, make sure to backup your Mac and iOS device before installing any updates. After backing up your data, install these updates as soon as you can to ensure protection from exploits that may leverage these known vulnerabilities. Backing up your Mac is a breeze with Time Machine or Intego Personal Backup, and backing up your iOS device can be done easily as well.

In addition to the above mentioned software updates, Apple also updated its Malware Removal Tool (MRT.app) to version 1.32, adding detection for Trojan OSX/Snake.A.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}