SB2018120608 - Multiple vulnerabilities in Apple Safari
Published: December 6, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Spoofing attack (CVE-ID: CVE-2018-4440)
The vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists due to insufficient validation of user-supplied input in the Safari component. A remote attacker can trick the victim into visiting a specially crafted website, trigger state management error and spoof address bar.
2) Spoofing attack (CVE-ID: CVE-2018-4439)
The vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists due to insufficient validation of user-supplied input in the Safari component. A remote attacker can send a specially crafted mail message and spoof UI.
3) Security restrictions bypass (CVE-ID: CVE-2018-4445)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists in the Safari component due "Clear History and Website Data" did not clear the history. A remote attacker can bypass security restrictions and prevent fully deletion of browsing history.
4) Memory corruption (CVE-ID: CVE-2018-4443)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Webkit component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) Memory corruption (CVE-ID: CVE-2018-4442)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Webkit component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
6) Memory corruption (CVE-ID: CVE-2018-4441)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Webkit component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
7) Memory corruption (CVE-ID: CVE-2018-4438)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Webkit component. A remote attacker can trick the victim into visiting a specially crafted website, trigger state management error and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
8) Memory corruption (CVE-ID: CVE-2018-4437)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Webkit component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
9) Memory corruption (CVE-ID: CVE-2018-4464)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Webkit component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.