logo
DATABASE RESOURCES PRICING ABOUT US

About the security content of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan - Apple Support

Description

## About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page. For more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>). Apple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible. ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan Released March 29, 2018 **Admin Framework** Available for: macOS High Sierra 10.13.3 Impact: Passwords supplied to sysadminctl may be exposed to other local users Description: The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional, and sysadminctl will prompt for the password if needed. CVE-2018-4170: an anonymous researcher **APFS** Available for: macOS High Sierra 10.13.3 Impact: An APFS volume password may be unexpectedly truncated Description: An injection issue was addressed through improved input validation. CVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot **ATS** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: Processing a maliciously crafted file might disclose user information Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks. CVE-2018-4112: Haik Aftandilian of Mozilla **CFNetwork Session** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4166: Samuel Groß (@5aelo) **CoreFoundation** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4155: Samuel Groß (@5aelo) CVE-2018-4158: Samuel Groß (@5aelo) **CoreText** Available for: macOS High Sierra 10.13.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A denial of service issue was addressed with improved memory handling. CVE-2018-4142: Robin Leroy of Google Switzerland GmbH Entry updated April 3, 2019 **CoreTypes** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: Processing a maliciously crafted webpage may result in the mounting of a disk image Description: A logic issue was addressed with improved restrictions. CVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis **curl** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: Multiple issues in curl Description: An integer overflow existed in curl. This issue was addressed with improved bounds checking. CVE-2017-8816: Alex Nichols Entry updated April 3, 2019 **Disk Images** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: Mounting a malicious disk image may result in the launching of an application Description: A logic issue was addressed with improved validation. CVE-2018-4176: Theodor Ragnar Gislason of Syndis **Disk Management** Available for: macOS High Sierra 10.13.3 Impact: An APFS volume password may be unexpectedly truncated Description: An injection issue was addressed through improved input validation. CVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous researcher **EFI** Available for: macOS High Sierra 10.13.3 Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Entry added October 18, 2018 **File System Events** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4167: Samuel Groß (@5aelo) **iCloud Drive** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4151: Samuel Groß (@5aelo) **Intel Graphics Driver** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360 **IOFireWireFamily** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. **Kernel** Available for: macOS High Sierra 10.13.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4150: an anonymous researcher **Kernel** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4104: The UK's National Cyber Security Centre (NCSC) **Kernel** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4143: derrek (@derrekr6) **Kernel** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2018-4136: Jonas Jensen of lgtm.com and Semmle **Kernel** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to execute arbitrary code with system privileges Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2018-4160: Jonas Jensen of lgtm.com and Semmle **Kernel** Available for: macOS High Sierra 10.13.3 Impact: A malicious application may be able to determine kernel memory layout Description: An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling. CVE-2018-4185: Brandon Azad Entry added July 19, 2018 **kext tools** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to execute arbitrary code with system privileges Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management. CVE-2018-4139: Ian Beer of Google Project Zero **LaunchServices** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: A maliciously crafted application may be able to bypass code signing enforcement Description: A logic issue was addressed with improved validation. CVE-2018-4175: Theodor Ragnar Gislason of Syndis **libxml2** Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.3, OS X El Capitan 10.11.6 Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A use after free issue was addressed with improved memory management. CVE-2017-15412: Nick Wellnhofer Entry updated October 18, 2018 **LinkPresentation** Available for: macOS High Sierra 10.13.3 Impact: Processing a maliciously crafted text message may lead to UI spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department Entry added April 3, 2019 **Local Authentication** Available for: macOS High Sierra 10.13.3 Impact: A local user may be able to view senstive user information Description: There was an issue with the handling of smartcard PINs. This issue was addressed with additional logic. CVE-2018-4179: David Fuhrmann Entry added April 13, 2018 **Mail** Available for: macOS High Sierra 10.13.3 Impact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mail Description: An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature. CVE-2018-4111: Damian Poddebniak of Münster University of Applied Sciences, Christian Dresen of Münster University of Applied Sciences, Jens Müller of Ruhr University Bochum, Fabian Ising of Münster University of Applied Sciences, Sebastian Schinzel of Münster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, Jörg Schwenk of Ruhr University Bochum Entry updated April 13, 2018 **Mail** Available for: macOS High Sierra 10.13.3 Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4174: John McCombs of Integrated Mapping Ltd, McClain Looney of LoonSoft Inc. Entry updated April 13, 2018 **Notes** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4152: Samuel Groß (@5aelo) **Notes** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2017-7151: Samuel Groß (@5aelo) Entry added October 18, 2018 **NSURLSession** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4166: Samuel Groß (@5aelo) **NVIDIA Graphics Drivers** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360 **PDFKit** Available for: macOS High Sierra 10.13.3 Impact: Clicking a URL in a PDF may visit a malicious website Description: An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation. CVE-2018-4107: Nick Safford of Innovia Technology Entry updated April 9, 2018 **PluginKit** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4156: Samuel Groß (@5aelo) **Quick Look** Available for: macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4157: Samuel Groß (@5aelo) **Remote Management** Available for: macOS High Sierra 10.13.3 Impact: A remote user may be able to gain root privileges Description: A permissions issue existed in Remote Management. This issue was addressed through improved permission validation. CVE-2018-4298: Tim van der Werff of SupCloud Entry added July 19, 2018 **Security** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved size validation. CVE-2018-4144: Abraham Masri (@cheesecakeufo) **SIP** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A configuration issue was addressed with additional restrictions. CVE-2017-13911: Timothy Perfitt of Twocanoes Software Entry added August 8, 2018, updated September 25, 2018 **Status Bar** Available for: macOS High Sierra 10.13.3 Impact: A malicious application may be able to access the microphone without indication to the user Description: A consistency issue existed in deciding when to show the microphone use indicator. The issue was resolved with improved capability validation. CVE-2018-4173: Joshua Pokotilow of pingmd Entry added April 9, 2018 **Storage** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An application may be able to gain elevated privileges Description: A race condition was addressed with additional validation. CVE-2018-4154: Samuel Groß (@5aelo) **System Preferences** Available for: macOS High Sierra 10.13.3 Impact: A configuration profile may incorrectly remain in effect after removal Description: An issue existed in CFPreferences. This issue was addressed with improved preferences cleanup. CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera Entry updated April 3, 2019 **Terminal** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: Pasting malicious content may lead to arbitrary command execution Description: A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters. CVE-2018-4106: Simon Hosie Entry updated May 15, 2019 **WindowServer** Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.3 Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management. CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH Entry updated April 3, 2019 ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## Additional recognition **Mail** We would like to acknowledge Sabri Haddouche (@pwnsdx) from Wire Swiss GmbH for their assistance. Entry added June 21, 2018 **Safari Login AutoFill** We would like to acknowledge Jun Kokatsu (@shhnjk) for their assistance. Entry added April 3, 2019 **Security** We would like to acknowledge Abraham Masri (@cheesecakeufo) for their assistance. Entry added April 13, 2018 **Sharing Pref Pane** We would like to acknowledge an anonymous researcher for their assistance. Entry added April 3, 2019


Affected Software


CPE Name Name Version
macos sierra 10.12.6
macos high sierra 10.13.4
os x el capitan 10.11.6
security update 2018
macos high sierra 10.13.3

Related