Why Update to iOS 11.4.1? No More Malicious Websites Crashing Safari or Apps Breaking Out of Sandbox

Author Photo
Jul 9
16Shares
Submit

Apple released iOS 11.4.1 earlier today. While today’s release brought an important security feature to iOS users in the shape of USB Restricted Mode [here’s how to use it], it is otherwise a smaller update. But like many other smaller updates, today’s release has also focused heavily on bug fixes and security improvements.

iOS 11.4.1 is now available for all the compatible iPhone, iPad, and iPod models bringing an improved Find My AirPod feature along with some stability and security fixes. Apple has fixed some critical security flaws with today’s release, including the ability of malicious apps to read restricted memory and gain elevated privileges.

best-wireless-chargers-for-iphone-x-iphone-8-plus-and-8Related Apple’s 18W Fast Charger For 2018 iPhone 9, Others Won’t Be Available For Retail

Here’s the complete security changelog of iOS 11.4.1

CFNetwork

Impact: Cookies may unexpectedly persist in Safari

Description: A cookie management issue was addressed with improved checks.

CVE-2018-4293: an anonymous researcher

Emoji

Impact: Processing an emoji under certain configurations may lead to a denial of service

Description: A denial of service issue was addressed with improved memory handling.

CVE-2018-4290: Patrick Wardle of Digita Security

Kernel

Impact: A local user may be able to read kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2018-4282: Proteas of Qihoo 360 Nirvan Team

libxpc

Impact: An application may be able to gain elevated privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4280: Brandon Azad

libxpc

Impact: A malicious application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2018-4248: Brandon Azad

LinkPresentation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2018-4277: xisigr of Tencent’s Xuanwu Lab (tencent.com)

WebKit

Impact: A malicious website may exfiltrate audio data cross-origin

Description: Sound fetched through audio elements may be exfiltrated cross-origin. This issue was addressed with improved audio taint tracking.

CVE-2018-4278: Jun Kokatsu (@shhnjk)

WebKit

Impact: A malicious website may be able to cause a denial of service

Description: A race condition was addressed with additional validation.

CVE-2018-4266: found by OSS-Fuzz

WebKit

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2018-4274: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4270: found by OSS-Fuzz

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2018-4284: Found by OSS-Fuzz

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4261: Omair working with Trend Micro’s Zero Day Initiative

CVE-2018-4262: Mateusz Krzywicki working with Trend Micro’s Zero Day Initiative

CVE-2018-4263: Arayz working with Trend Micro’s Zero Day Initiative

CVE-2018-4264: found by OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab

CVE-2018-4265: cc working with Trend Micro’s Zero Day Initiative

CVE-2018-4267: Arayz of Pangu team working with Trend Micro’s Zero Day Initiative

CVE-2018-4272: found by OSS-Fuzz

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2018-4271: found by OSS-Fuzz

CVE-2018-4273: found by OSS-Fuzz

WebKit Page Loading

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2018-4260: xisigr of Tencent’s Xuanwu Lab (tencent.com)

Wi-Fi

Impact: A malicious application may be able to break out of its sandbox

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4275: Brandon Azad

Submit