About the security content of Safari 12.1.2

This document describes the security content of Safari 12.1.2.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

Safari 12.1.2

Safari

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2019-8670: Tsubasa FUJII (@reinforchu)

WebKit

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation, P1umer of ADLab of Venustech

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

WebKit

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero