Apple fixes remote crash vulnerability in macOS and iOS versions

Apple has released a slew of security updates for its macOS and iOS operating systems, to go with the new hardware the company introduced today.

A total of 71 security updates are available for the current macOS Mojave, and the older High Sierra and Sierra versions.

Researchers found multiple vulnerabilties within the macOS XNU kernel which Apple also uses for iOS.

Among these is CVE-2018-4407 found by researcher Kevin Backhouse of software engineering analytics firm Semmle.

This bug allows an attacker to remotely crash all unpatched macOS and iOS devices on the same network, such as public Wi-Fi, thanks to a buffer overflow in the code that handles Internet Control Message Protocol (ICMP) packets.

While Backhouse is reluctant to disclose the full details of the bug, he has written and assembled proof of concept code that demonstrate the vulnerability.

Apple publicly acknowledged the bug and announced the fix today, but the company patched it quietly in September for the current versions of macOS and iOS, before their public release.

"It was fixed with the release of iOS 12 (2018-09-17) and macOS Mojave (2018-09-24).

But Apple delayed the disclosure until today. Today they back-ported the fix to older versions of macOS," Backhouse told iTnews.

Apple ships third-party open source software with macOS, and today's set of patches take care of multiple buffer overflow issues reported in 2017 in the Perl programming language, for Sierra and High Sierra.

The Ruby language shipping with Sierra gets eleven fixes for remote code execution, with six of the bugs being from 2017.

iOS 12.1 meanwhile for mobile devices contains 32 bug fixes. Of these, three are remotely exploitable, with two allowing arbitrary code execution via the FaceTime audio and video communications program.

Separately, Apple also released patched versions of the Safari web browser, the iCloud client and iTunes for Windows 7 and later, as well as new watchOS and tvOS variants with security fixes.