NOTICE: Update multiple Apple products to address vulnerabilities
3/26/19 clarification: Changed the list of affected systems to include "macOS versions prior to 10.14.14." The text originally listed there ("macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra") was actually the name of the update.
This information was sent to U-M IT staff groups via email on March 26, 2019. It is intended for those who are responsible for university devices running Apple products. It is also applicable to users of Apple products, including those who use Apple software on Windows and other operating systems.
Apple has released updates to fix multiple vulnerabilities in iCloud, iTunes, Safari, Mojave, High Sierra, Sierra, tvOS, Xcode, and iOS. The most severe of these vulnerabilities could allow for arbitrary code execution. Update to the most recent version as soon as possible after appropriate testing.
Successful exploitation of the most severe of the announced vulnerabilities in Apple products could result in arbitrary code execution within the application and allow an attacker to gain the same privileges as the logged-in user—or bypass security settings. Depending on the privileges associated with the user or application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- iCloud for Windows prior to Version 7.11
- iTunes versions prior to 12.9.4 for Windows
- Safari versions prior to 12.1
- macOS versions prior to 10.14.14
- tvOS versions prior to 12.2
- Xcode versions prior to 10.2
- iOS versions prior to 12.2
Update the products listed above to the most recent version as soon as possible after appropriate testing. See Apple security updates for a list of available updates.
Please share this information with those in your unit as appropriate. You can print and post 03-26-19 - IA Notice Poster. Digital signs are in this U-M Box folder: Safe Computing - Security Tips (Digital Signs).
There are currently no reports of these vulnerabilities being exploited in the wild.
Numerous vulnerabilities are addressed by the updates provided by Apple. Common Vulnerabilities and Exposures (CVEs) are listed below:
- A buffer overflow issue was addressed with improved memory handling. (CVE-2019-6224)
- A buffer overflow was addressed with improved bounds checking. (CVE-2019-6213)
- A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. (CVE-2019-6228)
- A denial of service issue was addressed with improved validation. (CVE-2019-6219)
- A logic issue was addressed with improved validation. (CVE-2019-6229)
- A memory consumption issue was addressed with improved memory handling. (CVE-2018-4452)
- A memory corruption issues were addressed with improved input validation. (CVE-2018-20346, CVE-2018-20505, CVE-2018-20506)
- A memory corruption issue was addressed with improved lock state checking. (CVE-2019-6205)
- An issue existed with autofill resuming after it was canceled. The issue was addressed with improved state management. (CVE-2019-6206)
- An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. (CVE-2019-6209)
- Multiple memory corruption issues were addressed with improved input validation. (CVE-2019-6210, CVE-2019-6218)
- Multiple memory corruption issues were addressed with improved memory handling. (CVE-2019-6212, CVE-2019-6216, CVE-2019-6217, CVE-2019-6226, CVE-2019-6227, CVE-2019-6233, CVE-2019-6234)
- Multiple memory corruption issues were addressed with improved state management. (CVE-2018-4467, CVE-2019-6211)
- Multiple memory corruption issues were addressed with improved validation. (CVE-2019-6225, CVE-2019-6235)
- Multiple memory initialization issues were addressed with improved memory handling. (CVE-2019-6208, CVE-2019-6230)
- Multiple out-of-bounds read was addressed with improved bounds checking. (CVE-2019-6202, CVE-2019-6221, CVE-2019-6231)
- Multiple out-of-bounds read was addressed with improved input validation. (CVE-2019-6200, CVE-2019-6220)
- Multiple type confusion issues were addressed with improved memory handling. (CVE-2019-6214, CVE-2019-6215)
How We Protect U-M
- This communication is being sent to IT staff across the university.
- Information Assurance (IA) works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
If you use Apple products on your own devices that are not managed by the university, apply updates as soon as they are available.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
- Apple patches 51 security flaws with iOS 12.2 update (Naked Security, 3/26/19)
- iOS 12.2 fixes bug that granted apps hidden access to the microphone (ZDNet, 3/26/19)
- Apple Secures iOS and macOS With New Updates (eWeek, 3/26/19)
- iOS 12.2 Patches Over 50 Security Vulnerabilities (Bleeping Computer, 3/25/19)
- Apple security updates (Apple)
- About the security content of iOS 12.2 (Apple)
- About the security content of macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra (Apple)
- About the security content of tvOS 12.2 (Apple)
- About the security content of Safari 12.1 (Apple)
- About the security content of iTunes 12.9.4 for Windows (Apple)
- About the security content of iCloud for Windows 7.11 (Apple)
- About the security content of Xcode 10.2 (Apple)