Today Apple released updates for core products that include iOS 12.1, Safari 12.0.1, iCloud for Windows, iTunes, watchOS 5.1, tvOS 12.1, and macOS.

Included in these security updates are numerous code execution, privilege escalations, and information disclosure vulnerabilities. Due to this, if you are the user of any of the above products, you should update them as soon as possible.

iOS 12.1 fixes numerous FaceTime vulnerabilities

With the release of iOS 12.1, numerous fixes were released, including four fixes for FaceTime vulnerabilities. All of these vulnerabilities were discovered by Google Project Zero vulnerability researcher Natalie Silvanovich and one of them is downright creepy.

According to the Apple security notes, the CVE-2018-4367 FaceTime vulnerability would allow a remote attackers to initiate a FaceTime call from your device through a code execution vulnerabilitiy. Imagine your phone started performing FaceTime calls to random people?

BleepingComputer has reached out to Silvanovich for more information regarding this vulnerability, but had not heard back at the time of this publication.

The other three FaceTime vulnerabilities are memory corruption issues that could lead to arbitrary code execution.

macOS High Sierra update fixes bug that crashes other devices on network

Todays macOS Sierra and High Sierra update fixes a vulnerability that could allow an attacker to crash macOS High Sierra or iOS 11 devices on the same WiFi network.

This vulnerability was discovered by Kevin Backhouse and given CVE ID CVE-2018-4407. In a blog post, Backhouse has stated that the vulnerability can be triggered by sending a malicious packet to a vulnerable devices on the same WiFi Network. To make matters worse, the vulnerability is part of the core networking code and anti-virus software will not be able to protect users.

"The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel," stated Backhouse in a blog post about the vulnerability. "XNU is used by both iOS and macOS, which is why both types of devices are affected. To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device. No user interaction is required. The attacker only needs to be connected to the same network as the target device. For example, if you are using the free WiFi in a coffee shop then an attacker can join the same WiFi network and send a malicious packet to your device. (If an attacker is on the same network as you, it is easy for them to discover your device's IP address using nmap.) To make matters worse, the vulnerability is in such a fundamental part of the networking code that anti-virus software will not protect you: I tested the vulnerability on a Mac running McAfee® Endpoint Security for Mac and it made no difference. It also doesn't matter what software you are running on the device - the malicious packet will still trigger the vulnerability even if you don't have any ports open."

Backhouse posted a video demonstration of the vulnerability to Twitter:

Video of my PoC for CVE-2018-4407. It crashes any macOS High Sierra or iOS 11 device that is on the same WiFi network. No user interaction required. pic.twitter.com/tXtp7QRCp8 — Kevin Backhouse (@kevin_backhouse) October 30, 2018

Below are the rest of the Apple security updates released today.