==================================================================== CERT-Renater Note d'Information No. 2018/VULN202 _____________________________________________________________________ DATE : 08/06/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Safari versions prior to 11.1.1. ===================================================================== https://support.apple.com/en-au/HT208854 _____________________________________________________________________ APPLE-SA-2018-06-01-2 Safari 11.1.1 Safari 11.1.1 is now available and addresses the following: Safari Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: A malicious website may be able to cause a denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-4247: Francois Renaud, Jesse Viviano of Verizon Enterprise Solutions Safari Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4205: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a maliciously crafted website may lead to cookies being overwritten Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions. CVE-2018-4232: an anonymous researcher, Aymeric Chaib WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4246: found by OSS-Fuzz WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A race condition was addressed with improved locking. CVE-2018-4192: Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4214: found by OSS-Fuzz WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4201: an anonymous researcher CVE-2018-4218: Natalie Silvanovich of Google Project Zero CVE-2018-4233: Samuel Gross (@5aelo) working with Trend Micro's Zero Day Initiative WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2018-4199: Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs working with Trend Micro's Zero Day Initiative WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a maliciously crafted website may leak sensitive data Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method. CVE-2018-4190: Jun Kokatsu (@shhnjk) WebKit Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4222: Natalie Silvanovich of Google Project Zero Installation note: Safari 11.1.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================