Multiple vulnerabilities in Apple macOS

Published: 2019-02-08 09:28:23 | Updated: 2019-02-11
Severity High
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2019-7286
CVE-2019-7288
CVE-2019-6223
CVSSv3 7.5 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
6.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
4.9 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-119
CWE-264
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software macOS
Vulnerable software versions macOS 10.14.3
Vendor URL Apple Inc.

Security Advisory

1) Memory corruption

Description

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to a boundary error in the Foundation component when handling malicious input. A local attacker can run a specially crafted application, trigger memory corruption and gain elevated privileges.

Note: according to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.

Remediation

The vulnerability has been addressed in the version 10.14.3 Supplemental Update.

External links

https://support.apple.com/en-us/HT209521

2) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to improper validation on the FaceTime server. A remote attacker can cause an error in Live Photos in FaceTime and bypass security restrictions.

Remediation

The vulnerability has been addressed in the version 10.14.3 Supplemental Update.

External links

https://support.apple.com/en-us/HT209521

3) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The weakness exists due to a logic issue in the handling of Group FaceTime calls. A remote attacker who is the initiator of a Group FaceTime call can cause the recipient to answer.

Remediation

The vulnerability has been addressed in the version 10.14.3 Supplemental Update.

External links

https://support.apple.com/en-us/HT209521

Back to List