Exploit the possiblities

Apple Security Advisory 2017-09-25-3

Apple Security Advisory 2017-09-25-3
Posted Sep 28, 2017
Authored by Apple | Site apple.com

Apple Security Advisory 2017-09-25-3 - Safari 11 addresses address bar spoofing, code execution, and various other vulnerabilities.

tags | advisory, spoof, vulnerability, code execution
systems | apple
advisories | CVE-2017-7081, CVE-2017-7085, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7106, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120, CVE-2017-7142, CVE-2017-7144
MD5 | 546f0cf84a04b0731e0d0c15dfe66b1d

Apple Security Advisory 2017-09-25-3

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-09-25-3
Additional information for APPLE-SA-2017-09-19-2 Safari 11

Safari 11 addresses the following:

Safari
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com)

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-7081: Apple
Entry added September 25, 2017

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-7087: Apple
CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend
Microas Zero Day Initiative
CVE-2017-7092: Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team,
Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day
Initiative
CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend
Microas Zero Day Initiative
CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group
CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University working with Trend Microas Zero Day
Initiative
CVE-2017-7096: Wei Yuan of Baidu Security Lab
CVE-2017-7098: Felipe Freitas of Instituto TecnolA3gico de AeronA!utica
CVE-2017-7099: Apple
CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53
CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University
CVE-2017-7104: likemeng of Baidu Secutity Lab
CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University
CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com)
working with Trend Micro's Zero Day Initiative
CVE-2017-7117: lokihardt of Google Project Zero
CVE-2017-7120: chenqin (ee|) of Ant-financial Light-Year Security
Lab
Entry added September 25, 2017

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of the parent-tab.
This issue was addressed with improved state management.
CVE-2017-7089: Frans RosA(c)n of Detectify, Anton Lopanitsyn of ONSEC

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Cookies belonging to one origin may be sent to another origin
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed by no longer returning
cookies for custom URL schemes.
CVE-2017-7090: Apple
Entry added September 25, 2017

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: Application Cache policy may be unexpectedly applied.
CVE-2017-7109: avlidienbrunn
Entry added September 25, 2017

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: A malicious website may be able to track users in
Safari private browsing mode
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed with improved restrictions.
CVE-2017-7144: an anonymous researcher
Entry added September 25, 2017

WebKit Storage
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Website data may persist after a Safari Private browsing
session
Description: An information leakage issue existed in the handling of
website data in Safari Private windows. This issue was addressed with
improved data handling.
CVE-2017-7142: an anonymous researcher, an anonymous researcher, an
anonymous researcher
Entry added September 25, 2017

Additional recognition

WebKit
We would like to acknowledge xisigr of Tencent's Xuanwu Lab
(tencent.com) for their assistance.

Installation note:

Safari 11 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJZyUQfAAoJEIOj74w0bLRG/OcQAMYUtsjsKZSQngaIfrbsJJws
0FyAha36FHpQgo4EJ7sREcm31esSdE7DHoPG/8sG6WyP+H298kAAt7ZxedyBR17P
FmF5L6yr1CcuvVNI3fj8hA278tUF6MMPU3/PQiIrmRvWwjkQ50ZJvP8yAPqKsMhJ
+VhBFTgkGlg6Nb7baiT1pr6u/u0+MqsNaLiyWgz1GbTL9gOykKvl+hZMjOTWACzJ
eMr0XJSs6n8AcpxL/VDjhHJXucDckJUsW3DrtVC8DGWxCMHXYxQNjADVhuD/tme/
qfEvAdKDXk43Y2YZkpch6qExW6eC2HVKWCb3VVTtYxHiPSklhc1rBSNIXqQxP5vD
EVdqFDhx0jMhAH9wjQUaVpwQ2TWzxtdfuPLOr4v9e46e3zunnB8h5uCQt21LfQnH
e6KtinCcCjONkrrF1OMRyDX28vHGB69djTb4mCVDEHalq66BIh6o8vJpo7rSHATt
BO64xKKzwChaOzmBiWE60d3x6AWCfBwfKWy0iTCfSGlrVs3EWknK1bTQ8dUqdE02
x60GzQwvVhAgR8czyHtdCHK9Fym+SkixusyiHnvWOaJl/D1TE96Ng/XL83L/2TK6
YxO0GEf2KDbewr8uJg9gO5Dv433YY47unyRi1DrTjrjuE07RWs5nBLSXGBzx1Nvc
lOJZilco7jGI/wBK51Jf
=7GkF
-----END PGP SIGNATURE-----



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close