exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Security Advisory 2017-10-31-8

Apple Security Advisory 2017-10-31-8
Posted Nov 2, 2017
Authored by Apple | Site apple.com

Apple Security Advisory 2017-10-31-8 - Additional information for the APPLE-SA-2017-09-25-1 macOS High Sierra 10.13 advisory has been provided that relates to Apache and various other software.

tags | advisory
systems | apple
advisories | CVE-2016-2161, CVE-2016-4736, CVE-2016-5387, CVE-2016-8740, CVE-2016-8743, CVE-2016-9042, CVE-2016-9063, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-0381, CVE-2017-1000373, CVE-2017-10989, CVE-2017-13782, CVE-2017-13807, CVE-2017-13808, CVE-2017-13809, CVE-2017-13810, CVE-2017-13811, CVE-2017-13812, CVE-2017-13813, CVE-2017-13814, CVE-2017-13815, CVE-2017-13816, CVE-2017-13817
SHA-256 | dd6b5b4eac263ebc5404ceffc22559c55c0e9ecea353a5fb6bd44a6814913f91

Apple Security Advisory 2017-10-31-8

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-10-31-8
Additional information for APPLE-SA-2017-09-25-1
macOS High Sierra 10.13

macOS High Sierra 10.13 addresses the following:

802.1X
Available for: OS X Mountain Lion 10.8 and later
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

apache
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in Apache
Description: Multiple issues were addressed by updating to version
2.4.27.
CVE-2017-3167
CVE-2017-3169
CVE-2017-7659
CVE-2017-7668
CVE-2017-7679
CVE-2017-9788
CVE-2017-9789
Entry added October 31, 2017

apache
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in Apache
Description: Multiple issues existed in Apache. These were addressed
by updating Apache to version 2.4.25.
CVE-2016-736
CVE-2016-2161
CVE-2016-5387
CVE-2016-8740
CVE-2016-8743
Entry added October 31, 2017

AppleScript
Available for: OS X Mountain Lion 10.8 and later
Impact: Decompiling an AppleScript with osadecompile may lead to
arbitrary code execution
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13809: an anonymous researcher
Entry added October 31, 2017

Application Firewall
Available for: OS X Lion v10.8 and later
Impact: A previously denied application firewall setting may take
effect after upgrading
Description: An upgrade issue existed in the handling of firewall
settings. This issue was addressed through improved handling of
firewall settings during upgrades.
CVE-2017-7084: an anonymous researcher

AppSandbox
Available for: OS X Lion v10.8 and later
Impact: An application may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7074: Daniel Jalkut of Red Sweater Software

ATS
Available for: OS X Mountain Lion 10.8 and later
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2017-13820: John Villamil, Doyensec
Entry added October 31, 2017

Audio
Available for: OS X Mountain Lion 10.8 and later
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2017-13807: Yangkang (@dnpushme) of Qihoo 360 Qex Team
Entry added October 31, 2017

Captive Network Assistant
Available for: OS X Lion v10.8 and later
Impact: A local user may unknowingly send a password unencrypted over
the network
Description: The security state of the captive portal browser was not
obvious. This issue was addressed with improved visibility of the
captive portal browser security state.
CVE-2017-7143: an anonymous researcher

CFNetwork Proxies
Available for: OS X Lion v10.8 and later
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.

CFString
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13821: Australian Cyber Security Centre a Australian Signals
Directorate
Entry added October 31, 2017

CoreAudio
Available for: OS X Lion v10.8 and later
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed by updating to Opus
version 1.1.4.
CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend
Micro

CoreText
Available for: OS X Mountain Lion 10.8 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2017-13825: Australian Cyber Security Centre a Australian Signals
Directorate
Entry added October 31, 2017

Directory Utility
Available for: OS X Lion v10.8 and later
Impact: A local attacker may be able to determine the Apple ID of the
owner of the computer
Description: A permissions issue existed in the handling of the Apple
ID. This issue was addressed with improved access controls.
CVE-2017-7138: an anonymous researcher

file
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in file
Description: Multiple issues were addressed by updating to version
5.30.
CVE-2017-7121: found by OSS-Fuzz
CVE-2017-7122: found by OSS-Fuzz
CVE-2017-7123: found by OSS-Fuzz
CVE-2017-7124: found by OSS-Fuzz
CVE-2017-7125: found by OSS-Fuzz
CVE-2017-7126: found by OSS-Fuzz

file
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in file
Description: Multiple issues were addressed by updating to version
5.31.
CVE-2017-13815
Entry added October 31, 2017

Fonts
Available for: OS X Mountain Lion 10.8 and later
Impact: Rendering untrusted text may lead to spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-13828: an anonymous researcher
Entry added October 31, 2017

fsck_msdos
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13811: an anonymous researcher
Entry added October 31, 2017

HelpViewer
Available for: OS X Mountain Lion 10.8 and later
Impact: A quarantined HTML file may execute arbitrary JavaScript
cross-origin
Description: A cross-site scripting issue existed in HelpViewer. This
issue was addressed by removing the affected file.
CVE-2017-13819: an anonymous researcher
Entry added October 31, 2017

HFS
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13830: Sergej Schumilo of Ruhr-University Bochum
Entry added October 31, 2017

ImageIO
Available for: OS X Mountain Lion 10.8 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-13814: Australian Cyber Security Centre a Australian Signals
Directorate
Entry added October 31, 2017

ImageIO
Available for: OS X Mountain Lion 10.8 and later
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: An information disclosure issue existed in the
processing of disk images. This issue was addressed through improved
memory management.
CVE-2017-13831: an anonymous researcher
Entry added October 31, 2017

Installer
Available for: OS X Mountain Lion 10.8 and later
Impact: A malicious application may be able to access the FileVault
unlock key
Description: This issue was addressed by removing additional
entitlements.
CVE-2017-13837: Patrick Wardle of Synack
Entry added October 31, 2017

IOFireWireFamily
Available for: OS X Lion v10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7077: Brandon Azad

IOFireWireFamily
Available for: OS X Lion v10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-7119: Xiaolong Bai, Min (Spark) Zheng of Alibaba Inc.,
Benjamin Gnahm (@mitp0sh) of PDX

Kernel
Available for: OS X Lion v10.8 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7114: Alex Plaskett of MWR InfoSecurity

Kernel
Available for: OS X Mountain Lion 10.8 and later
Impact: A local user may be able to leak sensitive user information
Description: A permissions issue existed in kernel packet counters.
This issue was addressed through improved permission validation.
CVE-2017-13810: an anonymous researcher
Entry added October 31, 2017

Kernel
Available for: OS X Mountain Lion 10.8 and later
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-2017-13817: Maxime Villard (m00nbsd)
Entry added October 31, 2017

Kernel
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13818: The UK's National Cyber Security Centre (NCSC)
CVE-2017-13836: an anonymous researcher, an anonymous researcher
CVE-2017-13841: an anonymous researcher
CVE-2017-13840: an anonymous researcher
CVE-2017-13842: an anonymous researcher
CVE-2017-13782: Kevin Backhouse of Semmle Ltd.
Entry added October 31, 2017

Kernel
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13843: an anonymous researcher
Entry added October 31, 2017

Kernel
Available for: OS X Mountain Lion 10.8 and later
Impact: Processing a malformed mach binary may lead to arbitrary code
execution
Description: A memory corruption issue was addressed through improved
validation.
CVE-2017-13834: Maxime Villard (m00nbsd)
Entry added October 31, 2017

kext tools
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A logic error in kext loading was addressed with
improved state handling.
CVE-2017-13827: an anonymous researcher
Entry added October 31, 2017

libarchive
Available for: OS X Mountain Lion 10.8 and later
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: A buffer overflow issue was addressed through improved
memory handling.
CVE-2017-13813: found by OSS-Fuzz
CVE-2017-13816: found by OSS-Fuzz
Entry added October 31, 2017

libarchive
Available for: OS X Mountain Lion 10.8 and later
Impact: Unpacking a maliciously crafted archive may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in libarchive.
These issues were addressed through improved input validation.
CVE-2017-13812: found by OSS-Fuzz
Entry added October 31, 2017

libarchive
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2016-4736: Proteas of Qihoo 360 Nirvan Team
Entry added October 31, 2017

libc
Available for: OS X Lion v10.8 and later
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue in glob() was addressed
through an improved algorithm.
CVE-2017-7086: Russ Cox of Google

libc
Available for: OS X Lion v10.8 and later
Impact: An application may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2017-1000373

libexpat
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in expat
Description: Multiple issues were addressed by updating to version
2.2.1
CVE-2016-9063
CVE-2017-9233

Mail
Available for: OS X Lion v10.8 and later
Impact: The sender of an email may be able to determine the IP
address of the recipient
Description: Turning off "Load remote content in messages" did not
apply to all mailboxes. This issue was addressed with improved
setting propagation.
CVE-2017-7141: an anonymous researcher

Mail Drafts
Available for: OS X Lion v10.8 and later
Impact: An attacker with a privileged network position may be able to
intercept mail contents
Description: An encryption issue existed in the handling of mail
drafts. This issue was addressed with improved handling of mail
drafts meant to be sent encrypted.
CVE-2017-7078: an anonymous researcher, an anonymous researcher, an
anonymous researcher

ntp
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in ntp
Description: Multiple issues were addressed by updating to version
4.2.8p10
CVE-2017-6451: Cure53
CVE-2017-6452: Cure53
CVE-2017-6455: Cure53
CVE-2017-6458: Cure53
CVE-2017-6459: Cure53
CVE-2017-6460: Cure53
CVE-2017-6462: Cure53
CVE-2017-6463: Cure53
CVE-2017-6464: Cure53
CVE-2016-9042: Matthew Van Gundy of Cisco

Open Scripting Architecture
Available for: OS X Mountain Lion 10.8 and later
Impact: Decompiling an AppleScript with osadecompile may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13824: an anonymous researcher
Entry added October 31, 2017

PCRE
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in pcre
Description: Multiple issues were addressed by updating to version
8.40.
CVE-2017-13846
Entry added October 31, 2017

Postfix
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in Postfix
Description: Multiple issues were addressed by updating to version
3.2.2.
CVE-2017-13826: an anonymous researcher
Entry added October 31, 2017

Quick Look
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13822: Australian Cyber Security Centre a Australian Signals
Directorate
Entry added October 31, 2017

Quick Look
Available for: OS X Mountain Lion 10.8 and later
Impact: Parsing a maliciously crafted office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2017-7132: Australian Cyber Security Centre a Australian Signals
Directorate
Entry added October 31, 2017

QuickTime
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-13823: an anonymous researcher
Entry added October 31, 2017

Remote Management
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13808: an anonymous researcher
Entry added October 31, 2017

Sandbox
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-13838: an anonymous researcher
Entry added October 31, 2017

Screen Lock
Available for: OS X Lion v10.8 and later
Impact: Application Firewall prompts may appear over Login Window
Description: A window management issue was addressed through improved
state management.
CVE-2017-7082: Tim Kingman

Security
Available for: OS X Lion v10.8 and later
Impact: A revoked certificate may be trusted
Description: A certificate validation issue existed in the handling
of revocation data. This issue was addressed through improved
validation.
CVE-2017-7080: Sven Driemecker of adesso mobile solutions gmbh, Rune
Darrud (@theflyingcorpse) of BA|rum kommune, an anonymous researcher,
an anonymous researcher

Spotlight
Available for: OS X Mountain Lion 10.8 and later
Impact: Spotlight may display results for files not belonging to the
user
Description: An access issue existed in Spotlight. This issue was
addressed through improved access restrictions.
CVE-2017-13839: an anonymous researcher
Entry added October 31, 2017

SQLite
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating to version
3.19.3.
CVE-2017-10989: found by OSS-Fuzz
CVE-2017-7128: found by OSS-Fuzz
CVE-2017-7129: found by OSS-Fuzz
CVE-2017-7130: found by OSS-Fuzz

SQLite
Available for: OS X Lion v10.8 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7127: an anonymous researcher

WebKit
Available for: OS X Lion v10.8 and later
Impact: A malicious website may be able to track users in Safari
private browsing mode
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed with improved restrictions.
CVE-2017-7144: an anonymous researcher

zlib
Available for: OS X Lion v10.8 and later
Impact: Multiple issues in zlib
Description: Multiple issues were addressed by updating to version
1.2.11.
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843

Installation note:

macOS High Sierra 10.13 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAln4u8MpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEaV7BAA
oPmo5pAA/HORVC3jl7tvStUpsUUiiez204FhuoVFsvHq0w7eYjsYDilzw7f6yveV
e9Xhlbz7jhFpa1SXQhtiK5SSA1aJqhXIzZPSSf4ex/6qBZCSUrAZi1vC05TuQFi2
bvZ9N2mr3Mwd4GlxN7XZ6DLi3BqQPaKIavmuxOLkUSCpkwj9npS1oPDvMCP8DX4q
goywFq4QOgvSJnohH/G8IGSm2Txy/IES68vvxdPRUi3IzjGM7E88QHkwKBDiqZRG
ozuhx8Zs+cEh8yIzLO2UoTJe5gVgz1si7J4tgCPTT65r3Uf2sizkOMMdX8PHmCCi
WTs3adVyJgC8nNql24cvPpJ4UM7bia0adzNf7cjTf7KKtVomIzR6IFaa+V737a+A
jESOB5J0iy1oqzfGN8/zf724N+rc5jp/QejM6tTvcNuc807Z4jVpR3CEr+GkMENz
Hq1Vr06gnBolmwnwlhCHujYwOpJXJ2xllQavNoe6r57XTYid1rjuRG5KXNWPlEgw
GyoB8rTLY+BzLszUtrQlhh5QXa8WaQLg0uPJJDHH3DUM7jEXRBrk7nhrz4z2qq7S
j1hlkhZbW2HuYg9URLhgYtkMgVjbTneZkWhEqER+AIbqFKdwTkuNgu5sHnWCrXG0
N+hmcqhXbgblWwiT0ma/I7Yn0b7O9g9stN88cL9cr3I=
=887+
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close