NOTICE: Update multiple Apple products to address vulnerabilities

Tuesday, March 26, 2019

3/26/19 clarification: Changed the list of affected systems to include "macOS versions prior to 10.14.14." The text originally listed there ("macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra") was actually the name of the update.

This information was sent to U-M IT staff groups via email on March 26, 2019. It is intended for those who are responsible for university devices running Apple products. It is also applicable to users of Apple products, including those who use Apple software on Windows and other operating systems.

Summary

Apple has released updates to fix multiple vulnerabilities in iCloud, iTunes, Safari, Mojave, High Sierra, Sierra, tvOS, Xcode, and iOS. The most severe of these vulnerabilities could allow for arbitrary code execution. Update to the most recent version as soon as possible after appropriate testing.

Problem

Successful exploitation of the most severe of the announced vulnerabilities in Apple products could result in arbitrary code execution within the application and allow an attacker to gain the same privileges as the logged-in user—or bypass security settings. Depending on the privileges associated with the user or application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Systems

  • iCloud for Windows prior to Version 7.11
  • iTunes versions prior to 12.9.4 for Windows
  • Safari versions prior to 12.1
  • macOS versions prior to 10.14.14
  • tvOS versions prior to 12.2
  • Xcode versions prior to 10.2
  • iOS versions prior to 12.2

Action Items

Update the products listed above to the most recent version as soon as possible after appropriate testing. See Apple security updates for a list of available updates.

Please share this information with those in your unit as appropriate. You can print and post 03-26-19 - IA Notice Poster. Digital signs are in this U-M Box folder: Safe Computing - Security Tips (Digital Signs).

Threats

There are currently no reports of these vulnerabilities being exploited in the wild.

Technical Details

Numerous vulnerabilities are addressed by the updates provided by Apple. Common Vulnerabilities and Exposures (CVEs) are listed below:

How We Protect U-M

  • This communication is being sent to IT staff across the university.
  • Information Assurance (IA) works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

If you use Apple products on your own devices that are not managed by the university, apply updates as soon as they are available.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.