There are several more intriguing flaws, including the one affecting remote code execution (RCE) on Sierra and High Sierra, discovered by a team from South Korea’s Yonsei University (CVE-2018-4094) who spotted that “a maliciously crafted audio file may lead to arbitrary code execution.” Next come two flaws that might allow malware to access restricted memory (CVE-2018-4092 affecting all desktop versions and CVE-2018-4097 affecting macOS High Sierra 10.13.2, macOS Sierra 10.12.6.).Ĭlosing out the kernel-level theme is a memory corruption vulnerability that could allow a malicious program to run code with kernel privileges (CVE-2018-4082). These include the memory validation flaw (CVE-2018-4093), and memory initialization issue (CVE-2018-4090) in High Sierra, reported by Google Project Zero researcher Jann Horn, who helped uncover Spectre and Meltdown. The latest updates coincide with Intel issuing a rather confusing advisory, warning system makers to stop shipping a version of its Meltdown and Spectre patches after reports that they caused some systems to reboot unnecessarily.Īpparently, Apple’s updates don’t include the Intel code that might be causing this, because the warning was aimed at high-end systems used mainly by cloud service providers.Įlsewhere in 2018-001 – implemented on macOS High Sierra as 10.13.3 – there is a sprinkling of kernel-level security fixes worthy of attention. (If you need a reminder of why Meltdown and Spectre are a big deal, read Naked Security’s explainer.) Separately, iOS got the same treatment, in December (for Meltdown), when nobody knew about it, and then again in mid-January (for Spectre), when they did. Two weeks on and we have the 2018-001 update, a scheduled collection of security fixes including one that addresses Meltdown (CVE-2017-5754) for users running the older macOS Sierra 10.12.6 or OS X El Capitan 10.11.6.
#Cve 2017 5754 fix for mac update
For Apple users worried about the Spectre and Meltdown CPU security vulnerabilities – what we’ve been collectively referring to as F**CKWIT – it’s been a busy and slightly confusing few weeks.įirst, on January 8, macOS High Sierra 10.13.2 users were offered a supplemental update (including for Safari and WebKit) meant to mitigate Spectre (CVE-2017-5753 and CVE-2017-5715).
0 kommentar(er)
