Apple is considered to be more concerned about the security of the products but recently its products are getting prone to vulnerabilities. The security updates get released on September 25, 2017, to address the issues found in iCloud for Windows, macOS operating system, and macOS Server. Overall, 67 vulnerabilities are fixed with the latest updates.

The attackers could compromise the security of the various products and take control of the affected systems by exploiting these Apple vulnerabilities hence it is recommended to apply the patches to the respective products without any delay.

Apple security updates

Apple doesn’t prefer to disclose the vulnerabilities or issues prior to investigate them thoroughly and release the patches as if it tends to discuss the security issues publicly, it can stake customers’ protection.

Security content of macOS High Sierra 10.13

Application Firewall

Available for: OS X Lion 10.8 and later
Impact: A previously denied application firewall setting may take effect after upgrading
Description: An upgrade issue existed in the handling of firewall settings. This issue was addressed through improved handling of firewall settings during upgrades.
CVE-2017-7084: an anonymous researcher

AppSandbox

Available for: OS X Lion 10.8 and later
Impact: An application may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through improved memory handling.
CVE-2017-7074: Daniel Jalkut of Red Sweater Software

Captive Network Assistant

Available for: OS X Lion 10.8 and later
Impact: A local user may unknowingly send a password unencrypted over the network
Description: The security state of the captive portal browser was not obvious. This issue was addressed with improved visibility of the captive portal browser security state.
CVE-2017-7143: an anonymous researcher

CFNetwork Proxies

Available for: OS X Lion 10.8 and later
Impact: An attacker in a privileged network position may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.

CoreAudio

Available for: OS X Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4.
CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro

Directory Utility

Available for: OS X Lion 10.8 and later
Impact: A local attacker may be able to determine the Apple ID of the owner of the computer
Description: A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls.
CVE-2017-7138: an anonymous researcher

File

Available for: OS X Lion 10.8 and later
Impact: Multiple issues in file
Description: Multiple issues were addressed by updating to version 5.30.
CVE-2017-7121: found by OSS-Fuzz
CVE-2017-7122: found by OSS-Fuzz
CVE-2017-7123: found by OSS-Fuzz
CVE-2017-7124: found by OSS-Fuzz
CVE-2017-7125: found by OSS-Fuzz
CVE-2017-7126: found by OSS-Fuzz

Heimdal

Available for: OS X Lion 10.8 and later
Impact: An attacker in a privileged network position may be able to impersonate a service
Description: A validation issue existed in the handling of the KDC-REP service name. This issue was addressed through improved validation.
CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams

IOFireWireFamily

Available for: OS X Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7077: Brandon Azad

IOFireWireFamily

Available for: OS X Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7119: Xiaolong Bai, Min (Spark) Zheng of Alibaba Inc., Benjamin Gnahm (@mitp0sh) of PDX

Kernel

Available for: OS X Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7114: Alex Plaskett of MWR InfoSecurity

libc

Available for: OS X Lion 10.8 and later
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue in glob() was addressed through an improved algorithm.
CVE-2017-7086: Russ Cox of Google

libc

Available for: OS X Lion 10.8 and later
Impact: An application may be able to cause a denial of service
Description: A memory consumption issue was addressed through improved memory handling.
CVE-2017-1000373

libexpat

Available for: OS X Lion 10.8 and later
Impact: Multiple issues in expat
Description: Multiple issues were addressed by updating to version 2.2.1
CVE-2016-9063
CVE-2017-9233

Mail

Available for: OS X Lion 10.8 and later
Impact: The sender of an email may be able to determine the IP address of the recipient
Description: Turning off “Load remote content in messages” did not apply to all mailboxes. This issue was addressed with improved setting propagation.
CVE-2017-7141: an anonymous researcher

Mail Drafts

Available for: OS X Lion 10.8 and later
Impact: An attacker with a privileged network position may be able to intercept mail contents
Description: An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted.
CVE-2017-7078: an anonymous researcher, an anonymous researcher, an anonymous researcher

ntp

Available for: OS X Lion 10.8 and later
Impact: Multiple issues in ntp
Description: Multiple issues were addressed by updating to version 4.2.8p10
CVE-2017-6451: Cure53
CVE-2017-6452: Cure53
CVE-2017-6455: Cure53
CVE-2017-6458: Cure53
CVE-2017-6459: Cure53
CVE-2017-6460: Cure53
CVE-2017-6462: Cure53
CVE-2017-6463: Cure53
CVE-2017-6464: Cure53
CVE-2016-9042: Matthew Van Gundy of Cisco

Screen Lock

Available for: OS X Lion 10.8 and later
Impact: Application Firewall prompts may appear over Login Window
Description: A window management issue was addressed through improved state management.
CVE-2017-7082: Tim Kingman

Security

Available for: OS X Lion 10.8 and later
Impact: A revoked certificate may be trusted
Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation.
CVE-2017-7080: Sven Driemecker of adesso mobile solutions gmbh, Rune Darrud (@theflyingcorpse) of Bærum kommune, an anonymous researcher, an anonymous researcher

SQLite

Available for: OS X Lion 10.8 and later
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating to version 3.19.3.
CVE-2017-10989: found by OSS-Fuzz
CVE-2017-7128: found by OSS-Fuzz
CVE-2017-7129: found by OSS-Fuzz
CVE-2017-7130: found by OSS-Fuzz

SQLite

Available for: OS X Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7127: an anonymous researcher

zlib

Available for: OS X Lion 10.8 and later
Impact: Multiple issues in zlib
Description: Multiple issues were addressed by updating to version 1.2.11.
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843

Security content of iCloud for Windows 7.0

SQLite

Available for: Windows 7 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7127: an anonymous researcher

WebKit

Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-7081: Apple

WebKit

Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7087: Apple
CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Micro’s Zero Day Initiative
CVE-2017-7092: Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative, Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team
CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative
CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group
CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Micro’s Zero Day Initiative
CVE-2017-7096: Wei Yuan of Baidu Security Lab
CVE-2017-7098: Felipe Freitas of Instituto Tecnológico de Aeronáutica
CVE-2017-7099: Apple
CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53
CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University
CVE-2017-7104: likemeng of Baidu Secutity Lab
CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University
CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro’s Zero Day Initiative
CVE-2017-7117: lokihardt of Google Project Zero
CVE-2017-7120: chenqin (陈钦) of Ant-financial Light-Year Security Lab

WebKit

Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of parent-tab. This issue was addressed with improved state management.
CVE-2017-7089: Frans Rosén of Detectify, Anton Lopanitsyn of ONSEC

WebKit

Available for: Windows 7 and later
Impact: Cookies belonging to one origin may be sent to another origin
Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes.
CVE-2017-7090: Apple

WebKit

Available for: Windows 7 and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)

WebKit

Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack
Description: Application Cache policy may be unexpectedly applied.
CVE-2017-7109: avlidienbrunn

Security content of macOS Server 5.4

FreeRadius

Available for: macOS High Sierra 10.13
Impact: Multiple issues in FreeRADIUS
Description: Multiple issues existed in FreeRADIUS before 2.2.10. These were addressed by updating FreeRADIUS to version 2.2.10.
CVE-2017-10978
CVE-2017-10979

LEAVE A REPLY

Please enter your comment!
Please enter your name here