Operating System:

[Win]

Published:

24 July 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2761
                     iCloud for Windows 10.6 and 7.13
                               24 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple iCloud
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-13118 CVE-2019-8690 CVE-2019-8689
                   CVE-2019-8688 CVE-2019-8687 CVE-2019-8686
                   CVE-2019-8685 CVE-2019-8684 CVE-2019-8683
                   CVE-2019-8681 CVE-2019-8680 CVE-2019-8679
                   CVE-2019-8678 CVE-2019-8677 CVE-2019-8676
                   CVE-2019-8673 CVE-2019-8672 CVE-2019-8671
                   CVE-2019-8669 CVE-2019-8666 CVE-2019-8658
                   CVE-2019-8649 CVE-2019-8644 

Reference:         ESB-2019.2746
                   ESB-2019.2745
                   ESB-2019.2742
                   ESB-2019.2737
                   ESB-2019.2660

Original Bulletin: 
   https://support.apple.com/en-au/HT210358
   https://support.apple.com/en-au/HT210357

Comment: This bulletin contains two (2) Apple security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2019-7-23-3 iCloud for Windows 10.6

iCloud for Windows 10.6 is now available and addresses the following:

libxslt
Available for: Windows 10 and later via the Microsoft Store
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input
validation.
CVE-2019-13118: found by OSS-Fuzz

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of document loads.
This issue was addressed with improved state management.
CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8666: Zongming Wang (ç\x{142}\x{139}å®\x{151}æ\x{152}\x{142}) and Zhe Jin (é\x{135}\x{145}å\x{147}²) from Chengdu
Security Response Center of Qihoo 360 Technology Co. Ltd.
CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative
CVE-2019-8671: Apple
CVE-2019-8672: Samuel GroÃ\x{159} of Google Project Zero
CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8677: Jihui Lu of Tencent KeenLab
CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014)
of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin
(@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser
Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser
Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser
Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX
Browser Exploitation
CVE-2019-8679: Jihui Lu of Tencent KeenLab
CVE-2019-8680: Jihui Lu of Tencent KeenLab
CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech,
Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL,
and Eric Lung (@Khlung1) of VXRL
CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8687: Apple
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of synchronous
page loads. This issue was addressed with improved state management.
CVE-2019-8649: Sergei Glazunov of Google Project Zero

Installation note:

iCloud for Windows 10.6 may be obtained from:
https://support.apple.com/HT204283

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl03jE4ACgkQeC9tht7T
K3HQKw//VEA3w25zNgO0wLZGvd7Gv9xSoq3By7dzY7kZXOgdco+tPgNtcwepDZtH
eb56eU8K1IVhgX/eqoNgwRQZ4yAIxxI0nigB27z54SRpy3rpZhgduBPEKNh4KtsL
IvE7TOFyczbmpDFnJFqQNujcZN5uFEjAU/J45cEKzw0q/Om7S/oVlJ4So4XigC2j
qD7Skk4Ri+XQBV5UO6McLDwR6VOvEvnczBZTQaUw8NHaTUNrCdW9dEIZAVHZEQl6
VzgT+rJKZrRBZI9PujEdObNcHByabixu8mw8UQMSwMT7A4ys7PNJs8myoLSu+dF5
tYT4VX+9VMLmE+SJTQUPGJ2bDm7b8fsuH7xvxlJ+MC1LU4rFGLw/23HZad4LZtRY
YpVTY/tz01V07JwQD8YE0hcYc7E4RITPAv3CbsaJBcRbYzXtPoe5yt9DQQsjaz/N
b/3V5ZjKzDlcUeDiCYIvy0jLb6xThEwWFugDPsH+aiakB5itife7IJKud0l39EZL
xFj2aaBPcOjr5efeMHlk9yNWYP4z0ymICQXzwuSms/Teuz/4o1lluBLbLemi3oE/
YwtrByJUY6252exsDXhEUy6N6gtlxpa0r8qccZZ25oS6+ANy5BTYfMluEAh4wnKk
1bC5Bpq0/z11CgdpYLi+jGf4fh7LLYyBkbhuBXRLHGwh0lu2Raw=
=jJIg
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2019-7-23-1 iCloud for Windows 7.13

iCloud for Windows 7.13 is now available and addresses the following:

libxslt
Available for: Windows 7 and later
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input
validation.
CVE-2019-13118: found by OSS-Fuzz

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of document loads.
This issue was addressed with improved state management.
CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8666: Zongming Wang (ç\x{142}\x{139}å®\x{151}æ\x{152}\x{142}) and Zhe Jin (é\x{135}\x{145}å\x{147}²) from Chengdu
Security Response Center of Qihoo 360 Technology Co. Ltd.
CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative
CVE-2019-8671: Apple
CVE-2019-8672: Samuel GroÃ\x{159} of Google Project Zero
CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8677: Jihui Lu of Tencent KeenLab
CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014)
of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin
(@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser
Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser
Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser
Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX
Browser Exploitation
CVE-2019-8679: Jihui Lu of Tencent KeenLab
CVE-2019-8680: Jihui Lu of Tencent KeenLab
CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech,
Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL,
and Eric Lung (@Khlung1) of VXRL
CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day
Initiative
CVE-2019-8687: Apple
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of synchronous
page loads. This issue was addressed with improved state management.
CVE-2019-8649: Sergei Glazunov of Google Project Zero

Installation note:

iCloud for Windows 7.13 may be obtained from:
https://support.apple.com/HT204283

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl03jDQACgkQeC9tht7T
K3FB9BAAybXVOTadtCFw+ZDUAd22YF+MnDfbhqGB8JXuVRrKgJqPvgbfbOXxDADV
pCHGzkc/SBPSNvwry1Cps1WodyKskZKj8cX7umxLW+MFMGbFrymXDmZid2vF1Pri
iQDp3b56yAwdqeC3oUzZbHsT08shLtcgzdbJqarc9+t73IXkG98+7GSt0O6Up5nl
3Z7aHtrB+0ZLLjW/BlPXz4OYK6f6AWrZtnIBXQ9kMTcknK1/jhW48zmf85B0zhoR
0AH9ixENhtrJV5KGhUN4kjMa32mv7NhR1lkr7sk3GkmY+5L8TnIR8umb5u7UjvTI
L9aOIqEk4h4NtjUg9CdYdwiPFPNSrqGxpMy105F0VQ8iQjUBj6epMA4pFwcd+aly
YmA8eY2jyPbeHmF/hZbXnggIGG3ETI/VU282UXH8SJINowjwqnsxOTvbglcsse+d
ISh15Hxt37pv5cfsYkNbkVu6D6FoCuk9tnwZCT4Y+QJTtrSPdQZOjqoc5jnbnx1E
BK+4Ox8loLR0/qpy7+67EEjKYWWThy/9QK0jENwb/c73ub765s8OasA684ZpNfG1
vvafAqeSU5U5OfOx3AfGjfvCCzq1HPE0zo+xFAOvu2mv5wl7Tv/VfQ5+cixvKq0G
mRsTkhIVlRob6t2cnHZRvy20o4EszOtrxM/Qwp9oBaq3DSxuPrg=
=pjrY
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXTfpk2aOgq3Tt24GAQgDfxAAusboUUvjMb4saOlegpPCOdAX5XDXETRq
uZKmJ0rHHx+DgzUrfn41P0RApzU39WXml3anTPTP9dkrnqaswvBdNS7QoKlt2Yjz
rlyxbCjtsVrztF+5oUs80azDQ1TtJDDIW+UA9j30OdA7rGCo1XT98ICNUqYjj+8M
cHCnl6Lr3GOoxwu2oCPFLAledYJIUB9LeihAvrqjP2wTPCMuP+fpIewHQODv7/Kz
ztlVkwchCCp1g2MCzXZEOeWd0lS+ByDcwLsfj4kmK6OCEgVJsiAsBUjsPy+PH6ds
g/06xwhL1nvH+NG3F9yM6/Il8U5mIbyepRp0wO837MobgTprhFyTI2ZFF9ZoPuQl
K80H2wKuoseYyEWI6OQHUf7XIZs7HYt1JLYIkoMkAQs9Sv5FGYDGV8yMw66TuCLK
NWcpeEvPN0dZp2Eyh1gPKy91eWVsRczewa57kDJ7Lc8X/YuHX4il2A2Ks3joU7gM
CJXt/5iPMlhZI9Ivr8NUHPQKva7iXtBAhI4XEOItrVme/DWDuC40Y29kk276IaXy
MOMLNdFa8Rkju/MrLzTYT83zeOWKOl3z5EdkvrzOkycz5zp/HkxcB0yGIWclhG28
8EkEBbU5nTbmXyyalsjdfBiUSD9VMAv1mPXcrhOLknkzfl4r2xaMpN4DOTBs1CgT
06xdJ6HiR+0=
=S39N
-----END PGP SIGNATURE-----