US-CERT warning over security vulnerabilities found in Apple MacOS and iOS

Security researchers have found dozen of vulnerabilities affecting iOS and MacOS

Apple Mac, iPhone and iPad users are being warned about a number of flaws affecting Apple software, which are so fresh they haven't even been categorised yet.

The vulnerabilities, included in the latest US-Cert Cyber Security Bulletin, were announced by the National Institute of Standards and Technology and the National Vulnerability Database on Monday.

They affect a range of Apple devices and software, primarily MacOS and iOS. However, the flaws haven't been evaluated for their severity at this moment in time, but include remote code execution flaws potentially enabling an attacker to take control of a user's device.

MacOS versions before 10.13.1, in particular, appear to be riddled with flaws.

Remote attackers are targeting versions before 8.40 to cause denial of service (application crash), but the researchers suspect they have other (unidentified) capabilities.

In the same version of MacOS, there's also an issue affecting the Kernel component, which enables hackers to bypass memory-read restrictions completely.

The Sandbox component is listed as concern, too. Throughout the latter, cyber crooks are deploying arbitrary code in a "privileged context" and aiming to cause a denial of service via a crafted app.

Hackers have found a way to leverage TLS 1.0 support to compromise the 802.1X component, although the impact has been listed as unspecified.

Like many of the other components, hackers could deploy arbitrary code using AppleScript. They're able to do this by making use of a crafted AppleScript file that's mishandled by Osadecompile.

There's an issue with the ImageIO component that enables hackers to obtain sensitive information or cause a denial of service through a crafted image.

According to the security researchers, there are a string of vulnerabilities across other Apple software, including the iOS operating systems used in the majority of iPhones and iPads.

They wrote: "An issue was discovered in certain Apple products. iOS before 11.1 is affected.

"Safari before 11.0.1 is affected. iCloud before 7.1 on Windows is affected. iTunes before 12.7.1 on Windows is affected. tvOS before 11.1 is affected.

"The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site."

They made it clear that this information can change, adding: "The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard.

"Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available.

"Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.