Operating System:

[MAC]

Published:

14 May 2019

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2019.1698 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1698
                               Safari 12.1.1
                                14 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Safari 12.1.1
Publisher:         Apple
Operating System:  Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8628 CVE-2019-8623 CVE-2019-8622
                   CVE-2019-8619 CVE-2019-8615 CVE-2019-8611
                   CVE-2019-8610 CVE-2019-8609 CVE-2019-8608
                   CVE-2019-8607 CVE-2019-8601 CVE-2019-8597
                   CVE-2019-8596 CVE-2019-8595 CVE-2019-8594
                   CVE-2019-8587 CVE-2019-8586 CVE-2019-8584
                   CVE-2019-8583 CVE-2019-8571 CVE-2019-6237

Reference:         ESB-2019.1032
                   ESB-2019.0991
                   ESB-2019.0990
                   ESB-2019.0989

Original Bulletin: 
   https://support.apple.com/en-au/HT210123

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2019-5-13-5 Safari 12.1.1

Safari 12.1.1 is now available and addresses the following:

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day
Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)
of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security &
Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day
Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel GroÃ\x{159} of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's
Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Gross of Google Project Zero
CVE-2019-8623: Samuel Gross of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab

Additional recognition

Safari
We would like to acknowledge Michael Ball of Gradescope by Turnitin
for their assistance.

Installation note:

Safari 12.1.1 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXNtNbmaOgq3Tt24GAQg2WA/+OIAomtZvzpUfvNQNZBEBT7haJ1JEL1YT
ASlfnYwAZ86JtzzTXtARWeSdxV7kbqu2IYuY6GbLTKA+zUBRCRT90IEIOvM4teK1
ldUmJpctldlYrO17QmjCYrxwQiqqA9vWKLP2UdPcKmxhZ4E8C7R7q1XXX//O4doZ
8YS0TKOIB2IZfgpWUEvZ9qTRJb/YZ8loTx+XZlp9pL/TsYk11U7cZuQBuZT7ZgG5
XS8217nYnuNtzKWV8vLOXH4tTwVsDnEN6nSq4VaCC8Map46rmZBgO2EuarrBbGTR
mNkM1HcR1/3NczRoRZvVxLY1LqB9wPoBfemZTsZf6jaxDt9UhcOoBehu25/IMhei
TLWar7J5Iohysr7n+M15QaiTcQIxii663hQUSViRehHWJ7lV2ZATWcQNJ/rrJCvB
f+SYZNNHPi0xPIcCd7E4zfbz2pKCpu3n1tN1o0dgmTNYoz/4e/qP5XQj7YhVAH7B
5oVp+Nd4r0O22MrDPYQCJmpJfY1mIPbQXS+9oxJvZl4akRDW88A7mHyBnm8RJNTi
+YJwW8TlEZRIePC8Dn2gAEVSWbIuOCmdAEYn7PQaBMHW5Q+6Kssu64+FdHNF7LE3
1wKKoTPoRPDEi8NYtQLRZeKEWFgX1aQZKqa7K4ZUkbWJakUy5fbzipG4CE8RV4MH
Nyrjwtom2YY=
=a3g2
-----END PGP SIGNATURE-----