CVE-2018-4192

Vulnerability

A race condition exists in the WebKit component of Apple products, including iOS before 11.4, Safari before 11.1.1, tvOS before 11.4, watchOS before 4.3.1, iCloud before 7.5 on Windows, and iTunes before 12.7.5 on Windows [1][2][3][4]. The issue allows remote attackers to execute arbitrary code by exploiting a race condition when processing a specially crafted website.

Exploitation

An attacker must convince a user to visit a malicious website, which triggers the race condition in WebKit. No authentication or special network position is required; exploitation is performed remotely by serving the crafted content via the web. The race window timing is the key attacker-controlled element.

Impact

Successful exploitation grants the attacker arbitrary code execution in the context of the affected application (e.g., MobileSafari or the WebKit framework). This can lead to full compromise of the device’s user data and further system access, depending on sandbox restrictions.

Mitigation

Apple released security updates for all affected products on May 29, 2018: iOS 11.4, Safari 11.1.1, tvOS 11.4, watchOS 4.3.1, iCloud 7.5 (Windows), and iTunes 12.7.5 (Windows) [1][2][3][4]. Users should update to the latest versions. No workarounds are available, and the vulnerability is not listed on CISA’s KEV as of this writing.