Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3247
Apple fixes regression for CVE-2019-8605 in its operating systems
27 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iOS
macOS
tvOS
Publisher: Apple
Operating System: Apple iOS
Mac OS
Impact/Access: Root Compromise -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-8605
Reference: ESB-2019.1697
ESB-2019.1696
ESB-2019.1695
ESB-2019.1694
Original Bulletin:
https://support.apple.com/en-au/HT210549
https://support.apple.com/en-au/HT210548
https://support.apple.com/en-au/HT210550
Comment: This bulletin contains three (3) Apple security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-8-26-1 iOS 12.4.1
iOS 12.4.1 is now available and addresses the following:
Kernel
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8605: Ned Williamson working with Google Project Zero
Additional recognition
Kernel
We would like to acknowledge @Pwn20wnd for their assistance.
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "iOS 12.4.1".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl1kFecACgkQBz4uGe3y
0M0DRw//YmdQNBN0iQqFZvvnlb4ytWimIXBJoSSDrNs3qzPeKncy50oZDczu8D8k
yD8RmN/PPia4rRvTmkDE5XKgxyRCnCiwe3JkR3FZEfWaChAqJI9ietsLjkUF0noP
M4cyUCXwveDRMqAierXSuKuwr3jgvzHtaFBrdrZYwcMMjlNRaKPMv3mkaMPnpPV/
9os2uZU/zrXvcG8ptp/I8FqfvuXRik91b3F+BCO50jfubGOIakgUJhf+nBHoj/+D
1DORc00FAmd50CXA50s5sD+QNEcBtLo+orAYN+J37rQxYWoFbTYazZ/mTd/AfAiL
+AZCajkZckDypZYCZWimxQtCY8+Nm+HgBp7Tj8a9vrG80ayD2Ze4aw1By9cUuDHN
LZwa+a+aClhHzMzxEQWt74EW5z1XDm1ZdHCE6ME43xlwigYiJSMbJKasWvYqWFAo
MTmwcKkm2tct1k8g94CLIYDKF6SxDMUkzLwo+YD5hKYSGUrlr0VSEGS/o6upyXS8
htO1N2ld6b84dSDRSsVUCXjxld8bvOkH7F8zjeGLKw3EMNbFsAIqysJSHs2sWtLN
5Mltwj8u2aiUo+ayf0RUY30UxZ8jhH1xEl3PyE2i+WzqsgEsEewjoF4m7KphuRil
gVoCXuag6s24yNUboaoOB06Q7g/54ttni4ai7MSn0pzQJKapiSk=
=QYKC
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-8-26-2 macOS Mojave 10.14.6 Supplemental Update
macOS Mojave 10.14.6 Supplemental Update is now available and
addresses the following:
Kernel
Available for: macOS Mojave 10.14.6
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8605: Ned Williamson working with Google Project Zero
Additional recognition
Kernel
We would like to acknowledge @Pwn20wnd for their assistance.
Installation note:
macOS Mojave 10.14.6 Supplemental Update may be obtained from the Mac
App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl1kFfgACgkQBz4uGe3y
0M0cTw//dP4wrZN4RqKI/Jk4ogQb/N3xOBFhfmK+QStQP7NNslk8xMNQ/N7kPTRn
2bUSMmTXOupXXdP1MgDa4wmti8SB/CfB8TmtPER0DUtiLoeTXv+/CIv/ZcdQOi1Y
ICE9qBa+vcX++yifYZzhBBZ1sPFflAwUlG5khXzMjFGo58NkoWMT8atDlWB1KGSi
744GilS8PGO/Bw6MNlWmK4gZCSjx1e+bGF/BU+P2TvkSaB8s9GD70ECfj+9FECmU
9ZQE3n6+78KbM8S6UShSUsWRVtMiyfqavmopAgpZUBSqQ94jzUtqhWD+Q3DnR97p
WdwIRuJjPxtf21YND9V61Sp/KY4Cf6IVAww5cUoUnTLcPQ0B17AT1qs3Fp+d4iGz
V14YF1rDkbyaCEvIeDyOW8nig1IA07uo4zpH4RzwanjWQPd3BIw24IjvOjq9m18c
rxiV6wqpPWNBaytwc/T50vWqK2EqFc1lNA/Azw7k+MxCcHLm0fP+B230JtNiu2nh
bI8SlN/3i7FiUjR2GS6UaMlxCGIXlUsZa6eP6gB/DF03zSFhXMBEu94YZKd927+9
xQ6TypwG/9BBvAuhAvGwCyW5Y9VJBQHCYns9D9T+RWu3GrvlSlz0JtdRxnjSbNQn
pu5zW/1Ltrb1qvnb1iWTFu6IiqOMYKDsGNwfc/Y35rN03QEywkI=
=B+5n
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-8-26-3 tvOS 12.4.1
tvOS 12.4.1 is now available and addresses the following:
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8605: Ned Williamson working with Google Project Zero
Additional recognition
Kernel
We would like to acknowledge @Pwn20wnd for their assistance.
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."
To check the current version of software, select
"Settings -> General -> About."
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl1kFfgACgkQBz4uGe3y
0M3LxxAAhd3dNmgTWTjyWFi43axxWCPBHVudzGWrMFACG4l9025YmqW/A73kO9Jo
j/jEonLUCXzJCzc9bb5t/Mem5Ti1wpHM/HpZ8lpubCU07T4old5N6cAcwVg95YMC
U8xnKBucXTuf3CXk9FUUamDj5RPm9jTzgSQpDvwytMoKjXkaXdN1dTZB4MxTLHg5
tBFTMiIcw7IuI7+DYExTbe71ScLT+JCuShoI9b666B0OjiaBC5mNSj1VJTC5583J
MwgoFK/KP/5T9uIXOqz+sjvcDlTOL6Y6sR78kEwggHTQT1NyAxlck+ht3e9oZzqG
cqe6fJnduYPm4bHJpx2SYqzPrf+2xKzYm0up/thuiQ4SxixsUbC1uljec/zkm4e4
v3jxGYtsckbfjQjRCvXIWKDmtqDPqA0dvRGkNEO+oEsP0YoY1a3SFpgVbq1Cpm89
RkR+/XRa51LQ7+/2xxrHrOeIyJUcm+RRiaME+79umJ8kuNuAlVtqIyqLBqaT5hyd
jteN6pQz2wKHuiectT5AUSQVNNIcFkeEPl6/o4SOeqokQ8zCYSoWn4jAo3U+cpg3
PpYSKrL+fOEGaa82oAUKaEJvOuMM85CTNVmsioMfaPRPSs5K2+4AXshAzckHpNcn
I5ps+5DrSU8qWG/NodcryDArxIchO8aBTSH9DkUVGBeN6L4+E+A=
=U5HO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXWSIM2aOgq3Tt24GAQjOphAApfiVcrm/yFj+7Hg1l43mA+h4wSdOad32
JiEeuIjA8HlY688ck0+eZGzUyk340KgDNyiTSP6E8K7LSUSLEdgKQ0Ba/Rcze+vR
kJYKA8MFi4KZdwLT3Rc01dODF2LyKJa79PXdxYYyZ9hpB+4q3EfP9+auRbyxH2m9
a0QrbR8vHpudaRl57Q5rTqqfEXM04mwHinncJCVZhh2DINMQhZPiwr/BDYblWFqb
wvkyAmtqjRckVqNFc1AnmMBGETNP7bEZSTWJo1hY4Q7Fwt16RTNCp8GOQMv0NkX6
jrVS2OtgmrHKVDEKFcMmMlj4Pd6jKA/tk9A1LbCy1mWFqzkp8EdpSwQVgUcVM24V
eaROncFW9N8ZQ2q8eA9M1Mg3cCq4CFlwvr0d4UaQBJj0izlEto0oGxHxR9TbIUSg
q7PjtCjEp1CYlho/99kdl2DsONbbWU+MGsxbW2ZWL2ExqyJKZaqmoKQX8+cl/hxf
YEoJje1RjcWBWYG5uk4dLMsYjhw499dnouJbtTjfMhJhjJOuzp11HUCzRn/6lW+w
yqUpLmOhDxO65lzleox21vNf1Y7qGYQuJo5VJaX1ecjKIQZqQZK4Ife27SRgc4bu
8NpItnqLrpvX6orB3uHQfiHjaQKzx6b1s/SF5TdaxInpW5ekqf+CE9kpN7bCziOD
mJNaUyrbd5k=
=oBsL
-----END PGP SIGNATURE-----