Apple launched a new patch for its operating system – the fifth this year – correcting the quick response code issue.
Apple has announced that the iPhone QR code security flaw that made headlines in March has been repaired. QR Code Press first reported on this issue on March 29, in the article “iPhone QR code reader issue sends users to malicious sites.”
The issue was repaired in 2018’s fifth security patch update for the Apple operating system, iOS 11.3.1.
macOS was also updated for the QR code security flaw, among other things, to macOS 10.13.4. The latest security update occurred within a month of the last one. In total, it provided a patch for four different vulnerabilities. Two were for the macOS system and the other two issues were patches in the Safari 11.1 browser update.
One of the biggest issues corrected by the patches was called: CVE-2018-4187. That was a LinkPresentation flaw which existed in both macOS and iOS.
Ahead of this patch, Apple released an advisory, which stated that “Processing a maliciously crafted text message may lead to UI spoofing.” It also went on to say that “A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.”
Few details about the QR code security flaw were provided within the Apple advisory.
The spoofing issue was identified right inside the iPhone QR code reader capabilities. As was stated in the QR Code Press article, Roman Mueller originally publicly reported the security issue. Mueller is a security researcher and made the problem known on March 24. He called it a QR code URL parser bug.
Mueller’s report identified a problem within both the iOS URL parser and the macOS version. It made it possible for a scammer to manipulate it in order to display a different hostname within the QR code scan notification window than would actually be opened in Safari.
Apple also went beyond the QR code security flaw in its latest updates by patching a number of issues in both macOS and iOS involving memory corruption problems. Of those issues, security researchers from the Project Zero research team at Google reported two of them.