Allele Security Alert
ASA-2018-00045
Identifier(s)
ASA-2018-00045, CVE-2018-4277
Title
Address bar spoofing
Vendor(s)
Apple
Product(s)
Apple watchOS
Apple iOS
Apple tvOS
Apple macOS High Sierra
Apple Safari
Affected version(s)
Apple watchOS before 4.3.2
Apple iOS before 11.4.1
Apple tvOS before 11.4.1
Apple macOS High Sierra before 10.13.5
Apple Safari before 11.1.1
Fixed version(s)
Apple watchOS 4.3.2
Apple iOS 11.4.1
Apple tvOS 11.4.1
Apple macOS High Sierra 10.13.5
Apple Safari 11.1.1
Proof of concept
Unknown
Description
A spoofing issue existed in the handling of URLs. In Apple products there’s no distinction between the Latin small letter dum (U+A771) glyph and Latin small letter D (U+0064) then an attacker can register domains using the former and they will show up as the latter.
This issue was addressed with improved input validation.
Technical details
Unknown
Credits
xisigr (Tencent Xuanwu Lab)
Reference(s)
Spoof All Domains Containing ‘d’ in Apple Products [CVE-2018-4277]
https://xlab.tencent.com/en/2018/11/13/cve-2018-4277/
About the security content of watchOS 4.3.2
https://support.apple.com/en-us/HT208935
About the security content of iOS 11.4.1
https://support.apple.com/en-us/HT208938
About the security content of tvOS 11.4.1
https://support.apple.com/en-us/HT208936
About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
https://support.apple.com/en-us/HT208937
About the security content of Safari 11.1.1
https://support.apple.com/en-us/HT208854
CVE-2018-4277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4277
CVE-2018-4277
https://nvd.nist.gov/vuln/detail/CVE-2018-4277
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 6, 2019