Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2761 iCloud for Windows 10.6 and 7.13 24 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple iCloud Publisher: Apple Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-13118 CVE-2019-8690 CVE-2019-8689 CVE-2019-8688 CVE-2019-8687 CVE-2019-8686 CVE-2019-8685 CVE-2019-8684 CVE-2019-8683 CVE-2019-8681 CVE-2019-8680 CVE-2019-8679 CVE-2019-8678 CVE-2019-8677 CVE-2019-8676 CVE-2019-8673 CVE-2019-8672 CVE-2019-8671 CVE-2019-8669 CVE-2019-8666 CVE-2019-8658 CVE-2019-8649 CVE-2019-8644 Reference: ESB-2019.2746 ESB-2019.2745 ESB-2019.2742 ESB-2019.2737 ESB-2019.2660 Original Bulletin: https://support.apple.com/en-au/HT210358 https://support.apple.com/en-au/HT210357 Comment: This bulletin contains two (2) Apple security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-23-3 iCloud for Windows 10.6 iCloud for Windows 10.6 is now available and addresses the following: libxslt Available for: Windows 10 and later via the Microsoft Store Impact: A remote attacker may be able to view sensitive information Description: A stack overflow was addressed with improved input validation. CVE-2019-13118: found by OSS-Fuzz WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management. CVE-2019-8690: Sergei Glazunov of Google Project Zero WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative CVE-2019-8666: Zongming Wang (ç\x{142}\x{139}å®\x{151}æ\x{152}\x{142}) and Zhe Jin (é\x{135}\x{145}å\x{147}²) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative CVE-2019-8671: Apple CVE-2019-8672: Samuel GroÃ\x{159} of Google Project Zero CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech CVE-2019-8677: Jihui Lu of Tencent KeenLab CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation CVE-2019-8679: Jihui Lu of Tencent KeenLab CVE-2019-8680: Jihui Lu of Tencent KeenLab CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8683: lokihardt of Google Project Zero CVE-2019-8684: lokihardt of Google Project Zero CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative CVE-2019-8687: Apple CVE-2019-8688: Insu Yun of SSLab at Georgia Tech CVE-2019-8689: lokihardt of Google Project Zero WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management. CVE-2019-8649: Sergei Glazunov of Google Project Zero Installation note: iCloud for Windows 10.6 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl03jE4ACgkQeC9tht7T K3HQKw//VEA3w25zNgO0wLZGvd7Gv9xSoq3By7dzY7kZXOgdco+tPgNtcwepDZtH eb56eU8K1IVhgX/eqoNgwRQZ4yAIxxI0nigB27z54SRpy3rpZhgduBPEKNh4KtsL IvE7TOFyczbmpDFnJFqQNujcZN5uFEjAU/J45cEKzw0q/Om7S/oVlJ4So4XigC2j qD7Skk4Ri+XQBV5UO6McLDwR6VOvEvnczBZTQaUw8NHaTUNrCdW9dEIZAVHZEQl6 VzgT+rJKZrRBZI9PujEdObNcHByabixu8mw8UQMSwMT7A4ys7PNJs8myoLSu+dF5 tYT4VX+9VMLmE+SJTQUPGJ2bDm7b8fsuH7xvxlJ+MC1LU4rFGLw/23HZad4LZtRY YpVTY/tz01V07JwQD8YE0hcYc7E4RITPAv3CbsaJBcRbYzXtPoe5yt9DQQsjaz/N b/3V5ZjKzDlcUeDiCYIvy0jLb6xThEwWFugDPsH+aiakB5itife7IJKud0l39EZL xFj2aaBPcOjr5efeMHlk9yNWYP4z0ymICQXzwuSms/Teuz/4o1lluBLbLemi3oE/ YwtrByJUY6252exsDXhEUy6N6gtlxpa0r8qccZZ25oS6+ANy5BTYfMluEAh4wnKk 1bC5Bpq0/z11CgdpYLi+jGf4fh7LLYyBkbhuBXRLHGwh0lu2Raw= =jJIg - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-23-1 iCloud for Windows 7.13 iCloud for Windows 7.13 is now available and addresses the following: libxslt Available for: Windows 7 and later Impact: A remote attacker may be able to view sensitive information Description: A stack overflow was addressed with improved input validation. CVE-2019-13118: found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management. CVE-2019-8690: Sergei Glazunov of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative CVE-2019-8666: Zongming Wang (ç\x{142}\x{139}å®\x{151}æ\x{152}\x{142}) and Zhe Jin (é\x{135}\x{145}å\x{147}²) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative CVE-2019-8671: Apple CVE-2019-8672: Samuel GroÃ\x{159} of Google Project Zero CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech CVE-2019-8677: Jihui Lu of Tencent KeenLab CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation CVE-2019-8679: Jihui Lu of Tencent KeenLab CVE-2019-8680: Jihui Lu of Tencent KeenLab CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8683: lokihardt of Google Project Zero CVE-2019-8684: lokihardt of Google Project Zero CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative CVE-2019-8687: Apple CVE-2019-8688: Insu Yun of SSLab at Georgia Tech CVE-2019-8689: lokihardt of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management. CVE-2019-8649: Sergei Glazunov of Google Project Zero Installation note: iCloud for Windows 7.13 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl03jDQACgkQeC9tht7T K3FB9BAAybXVOTadtCFw+ZDUAd22YF+MnDfbhqGB8JXuVRrKgJqPvgbfbOXxDADV pCHGzkc/SBPSNvwry1Cps1WodyKskZKj8cX7umxLW+MFMGbFrymXDmZid2vF1Pri iQDp3b56yAwdqeC3oUzZbHsT08shLtcgzdbJqarc9+t73IXkG98+7GSt0O6Up5nl 3Z7aHtrB+0ZLLjW/BlPXz4OYK6f6AWrZtnIBXQ9kMTcknK1/jhW48zmf85B0zhoR 0AH9ixENhtrJV5KGhUN4kjMa32mv7NhR1lkr7sk3GkmY+5L8TnIR8umb5u7UjvTI L9aOIqEk4h4NtjUg9CdYdwiPFPNSrqGxpMy105F0VQ8iQjUBj6epMA4pFwcd+aly YmA8eY2jyPbeHmF/hZbXnggIGG3ETI/VU282UXH8SJINowjwqnsxOTvbglcsse+d ISh15Hxt37pv5cfsYkNbkVu6D6FoCuk9tnwZCT4Y+QJTtrSPdQZOjqoc5jnbnx1E BK+4Ox8loLR0/qpy7+67EEjKYWWThy/9QK0jENwb/c73ub765s8OasA684ZpNfG1 vvafAqeSU5U5OfOx3AfGjfvCCzq1HPE0zo+xFAOvu2mv5wl7Tv/VfQ5+cixvKq0G mRsTkhIVlRob6t2cnHZRvy20o4EszOtrxM/Qwp9oBaq3DSxuPrg= =pjrY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXTfpk2aOgq3Tt24GAQgDfxAAusboUUvjMb4saOlegpPCOdAX5XDXETRq uZKmJ0rHHx+DgzUrfn41P0RApzU39WXml3anTPTP9dkrnqaswvBdNS7QoKlt2Yjz rlyxbCjtsVrztF+5oUs80azDQ1TtJDDIW+UA9j30OdA7rGCo1XT98ICNUqYjj+8M cHCnl6Lr3GOoxwu2oCPFLAledYJIUB9LeihAvrqjP2wTPCMuP+fpIewHQODv7/Kz ztlVkwchCCp1g2MCzXZEOeWd0lS+ByDcwLsfj4kmK6OCEgVJsiAsBUjsPy+PH6ds g/06xwhL1nvH+NG3F9yM6/Il8U5mIbyepRp0wO837MobgTprhFyTI2ZFF9ZoPuQl K80H2wKuoseYyEWI6OQHUf7XIZs7HYt1JLYIkoMkAQs9Sv5FGYDGV8yMw66TuCLK NWcpeEvPN0dZp2Eyh1gPKy91eWVsRczewa57kDJ7Lc8X/YuHX4il2A2Ks3joU7gM CJXt/5iPMlhZI9Ivr8NUHPQKva7iXtBAhI4XEOItrVme/DWDuC40Y29kk276IaXy MOMLNdFa8Rkju/MrLzTYT83zeOWKOl3z5EdkvrzOkycz5zp/HkxcB0yGIWclhG28 8EkEBbU5nTbmXyyalsjdfBiUSD9VMAv1mPXcrhOLknkzfl4r2xaMpN4DOTBs1CgT 06xdJ6HiR+0= =S39N -----END PGP SIGNATURE-----