Released January 23, 2018 Audio Available for: macOS High Sierra 10.13.2, macOS Sierra 10.12.6 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4094: Mingi Cho, Seoyoung Kim, Young-Ho Lee, MinSik Shin and Taekyoung Kwon of the Information Security Lab, Yonsei University Entry updated November 16, 2018 curl Available for: macOS High Sierra 10.13.2 Impact: Multiple issues in curl Description: An integer overflow existed in curl. This issue was addressed with improved bounds checking. CVE-2017-8816: Alex Nichols Entry added November 16, 2018 curl Available for: macOS High Sierra 10.13.2 Impact: Multiple issues in curl Description: An out-of-bounds read issue existed in the curl. This issue was addressed with improved bounds checking. CVE-2017-8817: found by OSS-Fuzz Entry updated November 16, 2018 EFI Available for: macOS High Sierra 10.13.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Description: Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code. CVE-2017-5705: Mark Ermolov and Maxim Goryachy from Positive Technologies Entry added January 30, 2018 EFI Available for: macOS High Sierra 10.13.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Description: Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector.

• Live Kernel Patching
• Windows Kernel Patch

Live Kernel Patching

CVE-2017-5708: Mark Ermolov and Maxim Goryachy from Positive Technologies Entry added January 30, 2018 IOHIDFamily Available for: macOS High Sierra 10.13.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4098: Siguza Kernel Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6 Impact: An application may be able to read kernel memory (Meltdown) Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet.

For additional information. Other company and product names may be trademarks of their respective owners.

Windows Kernel Patch

A security flaw in Intel processors has led to a redesign of Linux and Windows kernels. Programmers have been busy for the past two months patching the Linux kernel’s virtual memory system to protect against a hardware bug in Intel CPUs that could let attackers exploit security weaknesses and access security keys, passwords, and files cached from a disk.

That software updates are required for both Windows and Linux systems, and performance of a machine will be affected. Reports suggest information around the specific bug has been between software and hardware vendors, and patches for the Linux kernel include comments that have been redacted to prevent attackers discovering the precise weakness. The security bug could be present on Intel processors manufactured over the past 10 years, meaning many systems will require updates. Flaw is related to kernel memory access The exact bug is related to the way that regular apps and programs can discover the contents of protect kernel memory areas.

Kernels in operating systems have complete control over the entire system, and connect applications to the processor, memory, and other hardware inside a computer. There appears to be a flaw in Intel’s processors that lets attackers bypass kernel access protections so that regular apps can read the contents of kernel memory.

To protect against this, Linux programmers have been separating the kernel's memory away from user processes in what’s being called “.” The problem with this isolation is that some programmers are after systems are patched. That the slowdowns could be between 5 and 30 percent depending on the exact Intel processor. While Linux patches have been rolling out over the past month, a Windows 10 patch is not yet available. Some are speculating that Microsoft will deliver this in an upcoming Patch Tuesday, as the company started separating the NT kernel memory with Windows 10 beta builds in November. “We have nothing to share at this time,” says a Microsoft spokesperson, in response to a query from The Verge.

It’s still unclear how these patches will affect regular Windows, Mac, and Linux machines. AppleInsider reports that for the security bug in macOS 10.13.2, which was released last month. Citing multiple sources at Apple and developer Alex Ionescu, who publicly identified code that points to the fix, the report says Apple has mitigated the flaw by altering existing programming requirements related to the kernel memory data in macOS. More changes are expected to come with 10.13.3 soon, AppleInsider reports. Still, that virtual machines and cloud providers will be most affected by the security problem and resulting performance hits.

Microsoft’s Azure cloud will experience maintenance next week, and Amazon Web Services has warned that a big security update is coming on Friday. That its own processors are not affected by this security bug. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” explains Tom Lendacky, an AMD engineer. As a result of Intel’s processor flaw. Intel has not yet publicly commented on the security problem. Update, 1:30PM ET: Article updated with a statement from Microsoft. Update, 2:38PM ET: Article updated with information about an Apple fix for the flaw.