Twenty Year Anniversary

Apple Security Advisory 2017-05-15-2

Apple Security Advisory 2017-05-15-2
Posted May 15, 2017
Authored by Apple | Site apple.com

Apple Security Advisory 2017-05-15-2 - iOS 10.3.2 is now available and addresses memory corruption, code execution, and various other vulnerabilities.

tags | advisory, vulnerability, code execution
systems | cisco, apple, ios
advisories | CVE-2017-2495, CVE-2017-2496, CVE-2017-2497, CVE-2017-2498, CVE-2017-2499, CVE-2017-2501, CVE-2017-2502, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506, CVE-2017-2507, CVE-2017-2508, CVE-2017-2510, CVE-2017-2513, CVE-2017-2514, CVE-2017-2515, CVE-2017-2518, CVE-2017-2519, CVE-2017-2520, CVE-2017-2521, CVE-2017-2524, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2538
MD5 | 15f38e3c3854fe955222968c9e625838

Apple Security Advisory 2017-05-15-2

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-05-15-2 iOS 10.3.2

iOS 10.3.2 is now available and addresses the following:

AVEVideoEncoder
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to gain kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team

CoreAudio
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team

iBooks
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: A maliciously crafted book may open arbitrary websites
without user permission
Description: A URL handling issue was addressed through improved
state management.
CVE-2017-2497: Jun Kokatsu (@shhnjk)

iBooks
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with
root privileges
Description: An issue existed within the path validation logic for
symlinks. This issue was addressed through improved path
sanitization.
CVE-2017-6981: evi1m0 of YSRC (sec.ly.com)

IOSurface
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to gain kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-6979: Adam Donenfeld of Zimperium zLabs

Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition was addressed through improved locking.
CVE-2017-2501: Ian Beer of Google Project Zero

Kernel
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-2507: Ian Beer of Google Project Zero
CVE-2017-6987: Patrick Wardle of Synack

Notifications
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to cause a denial of service
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2017-6982: Vincent Desmurs (vincedes3), Sem Voigtlander
(OxFEEDFACE), and Joseph Shenton of CoffeeBreakers

Safari
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Visiting a maliciously crafted webpage may lead to an
application denial of service
Description: An issue in Safari's history menu was addressed through
improved memory handling.
CVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc.

Security
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Update to the certificate trust policy
Description: A certificate validation issue existed in the handling
of untrusted certificates. This issue was addressed through improved
user handling of trust acceptance.
CVE-2017-2498: Andrew Jerman

SQLite
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2513: found by OSS-Fuzz

SQLite
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-2518: found by OSS-Fuzz
CVE-2017-2520: found by OSS-Fuzz

SQLite
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-2519: found by OSS-Fuzz

SQLite
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working
with Trend Micro's Zero Day Initiative
CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working
with Trend Micro's Zero Day Initiative

TextInput
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Parsing maliciously crafted data may lead to arbitrary code
execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-2524: Ian Beer of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-2496: Apple
CVE-2017-2505: lokihardt of Google Project Zero
CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with
Trend Microas Zero Day Initiative
CVE-2017-2514: lokihardt of Google Project Zero
CVE-2017-2515: lokihardt of Google Project Zero
CVE-2017-2521: lokihardt of Google Project Zero
CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab (
tencent.com) working with Trend Microas Zero Day Initiative
CVE-2017-2526: Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab
(tencent.com) working with Trend Microas Zero Day Initiative
CVE-2017-2530: Wei Yuan of Baidu Security Lab
CVE-2017-2531: lokihardt of Google Project Zero
CVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro's
Zero Day Initiative
CVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro's
Zero Day Initiative
CVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro's
Zero Day Initiative
CVE-2017-2547: lokihardt of Google Project Zero,
Team Sniper (Keen Lab and PC Mgr) working with Trend Micro's Zero Day
Initiative
CVE-2017-6980: lokihardt of Google Project Zero
CVE-2017-6984: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of WebKit Editor
commands. This issue was addressed with improved state management.
CVE-2017-2504: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of WebKit
container nodes. This issue was addressed with improved state
management.
CVE-2017-2508: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of pageshow
events. This issue was addressed with improved state management.
CVE-2017-2510: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of WebKit cached
frames. This issue was addressed with improved state management.
CVE-2017-2528: lokihardt of Google Project Zero

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues with addressed through
improved memory handling.
CVE-2017-2536: Samuel GroA and Niklas Baumstark working with Trend
Micro's Zero Day Initiative

WebKit
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in frame loading. This issue was
addressed with improved state management.
CVE-2017-2549: lokihardt of Google Project Zero

WebKit Web Inspector
Available for: iPhone 5 and later, iPad 4th generation and later,
and iPod touch 6th generation
Impact: An application may be able to execute unsigned code
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-2499: George Dan (@theninjaprawn)

Installation note:

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.

The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "10.3.2".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIbBAEBCgAGBQJZGd7rAAoJEIOj74w0bLRGS4kP+Lc6slIXsaBr4WUGGX9bn0ej
klXxesL3SNerIMYNK3HUnw/8bM3uhsxKcb8I1OC0lFw3xqtxCs2Mt7qDWOvZ8yvy
7eg55Pbx/YVQUV3fSCTRYsGclHFAVNvw7NxgXJEh27Jb+3pLleLzOlepMwhgstxy
REEhMVZrjkzQNEXU14r+o7YePowIezfs9pPBYyT/jQk3z5DH/kxIe9J8nP/4yHU3
1Ygvm/VwgXjdMVzR60WY72D/jahVePFK0gjR0omOsYc7KslOirkJ18arf7MI3iC5
yOVs6zvh17nPvQXJr5rbZivMfD5RWB+iTAFtdlT9vReEDgSjizxn/kiwWWeujOzB
ORZmk+BZ0NzSR07sMrINeWmqAhgxKT3D7eCslU/BcRtLoIEsFvje+HgUk7gxoA0U
xirgc0nKaB2eNrUxw7GFtV0pWq5fNwdZ2HWQvBL9e73up+XDi9TE/xylUzTGx50b
SJl/N491dvIE8BmDUTRlkkTE44SQcATppE76CoLj8y/ncva/Os5KgybZt0Hq0zAV
HA8yprCh35iTtqn3D4KyN85XJaLBuYn8nAmF0VQ6ixSekmc6e9RY1vqG7yFXTTkb
P9TPLHpbuPGeRenvm/WezkJCQJsUQ64UwT07evtXJfHLuWGCfF4pLIkvfSiVaI8G
ucaPHZqagilOIk1zNYk=
=26IY
-----END PGP SIGNATURE-----



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    14 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close