Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1989 iCloud for Windows 7.6 released 10 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple iCloud Publisher: Apple Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2018-4293 CVE-2018-4284 CVE-2018-4278 CVE-2018-4273 CVE-2018-4272 CVE-2018-4271 CVE-2018-4270 CVE-2018-4267 CVE-2018-4266 CVE-2018-4265 CVE-2018-4264 CVE-2018-4263 CVE-2018-4262 CVE-2018-4261 Reference: ESB-2018.1985 Original Bulletin: https://support.apple.com/en-au/HT208932 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-7-9-6 iCloud for Windows 7.6 iCloud for Windows 7.6 is now available and addresses the following: CFNetwork Available for: Windows 7 and later Impact: Cookies may unexpectedly persist in Safari Description: A cookie management issue was addressed with improved checks. CVE-2018-4293: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4270: found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4284: Found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: A malicious website may exfiltrate audio data cross-origin Description: Sound fetched through audio elements may be exfiltrated cross-origin. This issue was addressed with improved audio taint tracking. CVE-2018-4278: Jun Kokatsu (@shhnjk) WebKit Available for: Windows 7 and later Impact: A malicious website may be able to cause a denial of service Description: A race condition was addressed with additional validation. CVE-2018-4266: found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4261: Omair working with Trend Micro's Zero Day Initiative CVE-2018-4262: Mateusz Krzywicki working with Trend Micro's Zero Day Initiative CVE-2018-4263: Arayz working with Trend Micro's Zero Day Initiative CVE-2018-4264: found by OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab CVE-2018-4265: cc working with Trend Micro's Zero Day Initiative CVE-2018-4267: Arayz of Pangu team working with Trend Micro's Zero Day Initiative CVE-2018-4272: found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-4271: found by OSS-Fuzz CVE-2018-4273: found by OSS-Fuzz Installation note: iCloud for Windows 7.6 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltDzckpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQ8ecVjteJiCaeAQ/+ P1pp6wkQ6aSMvdXvY+lfmbpUlZQgBNGYphi9eK1D2SK6IeAr03ERas9MMHOxhQaQ X4TpO6Vk7FTWR4JOZPYp78TIXiyLcqv8T6ifnxRaPiS0eU3rOwMIB8mn06GefI3M lSzFEs00ww8EsjBjDdPEQxrSyQUm5e0K+XyubpyZg6ZwmYkmz/MRJr+vJLqfMgKO 61Nm8Tk+iknTzhj62iWurAv0MxIWg3Ohnguxl+nN100LFuvflJuuo6j+JV/u9glM /a1zl6Pm91YhPruMc3JV2YefQmZfB0isEG7ycn8SyHr4nNTL5aVMNSOwsnBWZDCP 6xcfu/AgASSA9G5Cfn3dmJF+wiFKgE0BcfRoPbB9wCshitTIUMyfreIzYOXHGQVg tF9Gp+O20Uv7Vdus/Q7rgMTJH3voRLfnqJ90FKIMVXXRhyCrlYKx/dsNyAeghceT L/jrJwj6UQJ3+F/26gsV8Y11Uqyqdbv9XPucp2k2bIa/ZYHwi1lbj3XWuyNRi9qy EHd2YKf/ZFPpGkB4o2VZ+lyOvf1zZ/IFmZlgSmCCJgXYOlECCewITGJ6dkUPSn8I zA62LrEgiV0jnVN0oaRYCl/ywhfKmJuTfGgTQIdmWHqYXaPU1fQn77XTI/9ECoSu kM+E2Q5rNvGu+eRBIyHJc6nqqFyfsfn/ooSK1GOjW2Y= =F+dM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW0P60GaOgq3Tt24GAQiDlBAAzFi6tGE+zLi5K32+I78HeuGfk0IkQc9d BMVao5MeboGwQPlSF7l1eQAagkiGbNHpD44lBUgWYbTd9jeHmkf/Lu0cR+DDf0t5 hEuEP6AxtIKaYt209S3FIGxTv3+K/f6sEQRg8r8B2yepMvdsbcmm+fnh1Us9xmDa PEXZdu+uNwKl4FK7JI/XZsGHaKQ3SEEjPYZ1Uba+CaG0Pee9RLrRgrzXPHumxIVt 51XnlAs7EQ8bU7w39lCpp//dgguxbnDgFXyiaMnGXM2s7x0t0FPGLzCnwmnWPYKg 3rWkPzfcCgEP3TsXbn57npy8cNhskLNKoYWGN3cbIOLln4IJH4vb0exrOJCd8y4c o07DmkM8ELBHg6RdIrLQzdnboR6Jz6mtnaFesm5fqhUEJnQpjzSTCFnS76SAXMlM vH18pwKccxj6LeeMhyT9ydW0L/li/L/SKCaBvpI+BsuSCygIhtWr2P5VzZ+4pxy2 R56L90ibE3NGXunS8fVoSTShhznQkONenhIAU/JrcxyhMQHNlM4W8syJIVTmOXN5 No6+3K0K+e8SN1ysURLwZxYvHLGblYXzn3vjAzNNkFBCeYW2bHykl8u3qZfGlklS Pko6dm5hLfJ0PZKAwbPbwjFEzdAKljEM47Ev1mvWMc53wPcH56/sOWbyA2DlfKna wLQtDpHCkNs= =f8cy -----END PGP SIGNATURE-----