What's new in iCloud 14.1.108.0 Store App
Dec 14, 2022
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted file may lead to arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved input validation.
- CVE-2022-46693: Mickey Jin (@patch1t)
- WebKit:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may bypass Same Origin Policy
- Description: A logic issue was addressed with improved state management.
- WebKit Bugzilla: 246783
- CVE-2022-46692: KirtiKumar Anandrao Ramchandani
- WebKit:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may disclose sensitive user information
- Description: A logic issue was addressed with improved checks.
- CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
New in iCloud 12.3.74.10 Store App (Apr 27, 2021)
- CFNetwork:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may disclose sensitive user information
- Description: A memory initialization issue was addressed with improved memory handling.
- CVE-2021-1857: an anonymous researcher
- CoreText:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted font may result in the disclosure of process memory
- Description: A logic issue was addressed with improved state management.
- CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab
- WebKit:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
- Description: An input validation issue was addressed with improved input validation.
- CVE-2021-1825: Alex Camboe of Aon’s Cyber Solutions
- WebRTC:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-7463: Megan2013678
New in iCloud 12.2.0.10 Store App (Feb 17, 2021)
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking.
- CVE-2020-29611: Ivan Fratric of Google Project Zero
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2020-29618: Xingwei Lin of Ant Security Light-Year Lab
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted image may lead to heap corruption
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2020-29617: Xingwei Lin of Ant Security Light-Year Lab
- CVE-2020-29619: Xingwei Lin of Ant Security Light-Year Lab
New in iCloud 11.5 Store App (Dec 3, 2020)
- Foundation:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A local user may be able to read arbitrary files
- Description: A logic issue was addressed with improved state management.
- CVE-2020-10002: James Hutchins
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2020-9961: Xingwei Lin of Ant Security Light-Year Lab
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds write was addressed with improved input validation.
- CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab
- ImageIO:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking.
- CVE-2020-9876: Mickey Jin of Trend Micro
- libxml2:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may lead to code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-27917: found by OSS-Fuzz
- libxml2:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
- Description: An integer overflow was addressed through improved input validation.
- CVE-2020-27911: found by OSS-Fuzz
- libxml2:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing a maliciously crafted file may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-9981: found by OSS-Fuzz
- SQLite:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A remote attacker may be able to cause a denial of service
- Description: This issue was addressed with improved checks.
- CVE-2020-13434
- CVE-2020-13435
- SQLite:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A remote attacker may be able to cause arbitrary code execution
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2020-13630
- SQLite:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A remote attacker may be able to leak memory
- Description: An information disclosure issue was addressed with improved state management.
- CVE-2020-9849
- SQLite:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: A maliciously crafted SQL query may lead to data corruption
- Description: This issue was addressed with improved checks.
- CVE-2020-13631
- WebKit:
- Available for:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
- CVE-2020-27918: an anonymous researcher
- WebKit:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may lead to code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking.
- CVE-2020-9983: zhunki
- WebKit:
- Available for: Windows 10 and later via the Microsoft Store
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-27918: an anonymous researcher
- CVE-2020-9947: cc working with Trend Micro Zero Day Initiative
- CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
New in iCloud 11.4 Store App (Sep 25, 2020)
- WebKit:
- Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
- Description: An input validation issue was addressed with improved input validation.
- CVE-2020-9952: Ryan Pickren (ryanpickren.com)
New in iCloud 7.20 (Aug 11, 2020)
- ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking.
- CVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab
- CVE-2020-9936: Mickey Jin of Trend Micro
- CVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab
- ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab
- ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab
- ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: A buffer overflow issue was addressed with improved memory handling.
- CVE-2020-9919: Mickey Jin of Trend Micro
- ImageIO:
- Available for: Windows 7 and later
- Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking.
- CVE-2020-9876: Mickey Jin of Trend Micro
- ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An integer overflow was addressed through improved input validation.
- CVE-2020-9875: Mickey Jin of Trend Micro
- WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
- Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
- CVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue was addressed with improved state management.
- CVE-2020-9925: an anonymous researcher
- WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
- CVE-2020-9895: Wen Xu of SSLab, Georgia Tech
- WebKit:
- Available for: Windows 7 and later
- Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
- Description: Multiple issues were addressed with improved logic.
- CVE-2020-9910: Samuel Groß of Google Project Zero
- WebKit Page Loading:
- Available for: Windows 7 and later
- Impact: A malicious attacker may be able to conceal the destination of a URL
- Description: A URL Unicode encoding issue was addressed with improved state management.
- CVE-2020-9916: Rakesh Mane (@RakeshMane10)
- WebKit Web Inspector:
- Available for: Windows 7 and later
- Impact: Copying a URL from Web Inspector may lead to command injection
- Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
- CVE-2020-9862: Ophir Lojkine (@lovasoa)
New in iCloud 7.18 (Mar 25, 2020)
- libxml2
- Available for: Windows 7 and later
- Impact: Multiple issues in libxml2
- Description: A buffer overflow was addressed with improved size validation.
- CVE-2020-3910: LGTM.com
- libxml2
- Available for: Windows 7 and later
- Impact: Multiple issues in libxml2
- Description: A buffer overflow was addressed with improved bounds checking.
- CVE-2020-3909: LGTM.com
- CVE-2020-3911: found by OSS-Fuzz
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A type confusion issue was addressed with improved memory handling.
- CVE-2020-3901: Benjamin Randazzo (@____benjamin)
- WebKit
- Available for: Windows 7 and later
- Impact: A download's origin may be incorrectly associated
- Description: A logic issue was addressed with improved restrictions.
- CVE-2020-3887: Ryan Pickren (ryanpickren.com)
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2020-3895: grigoritchy
- CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech
- WebKit
- Available for: Windows 7 and later
- Impact: An application may be able to read restricted memory
- Description: A race condition was addressed with additional validation.
- CVE-2020-3894: Sergei Glazunov of Google Project Zero
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2020-9783: Apple
- WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause arbitrary code execution
- Description: A type confusion issue was addressed with improved memory handling.
- CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative
- WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause arbitrary code execution
- Description: A memory consumption issue was addressed with improved memory handling.
- CVE-2020-3899: found by OSS-Fuzz
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
- Description: An input validation issue was addressed with improved input validation.
- CVE-2020-3902: Yigit Can YILMAZ (@yilmazcanyigit)
- WebKit Page Loading:
- Available for: Windows 7 and later
- Impact: A file URL may be incorrectly processed
- Description: A logic issue was addressed with improved restrictions.
- CVE-2020-3885: Ryan Pickren (ryanpickren.com)
New in iCloud 7.16 (Dec 12, 2019)
- CFNetwork Proxies:
- Available for: Windows 7 and later
- Impact: An application may be able to gain elevated privileges
- Description: This issue was addressed with improved checks.
- CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team
- libexpat:
- Available for: Windows 7 and later
- Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information
- Description: This issue was addressed by updating to expat version 2.2.8.
- CVE-2019-15903: Joonun Jang
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2019-8835: Anonymous working with Trend Micro's Zero Day Initiative, Mike Zhang of Pangu Team
- CVE-2019-8844: William Bowling (@wcbowling)
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2019-8846: Marcin Towalski of Cisco Talos
New in iCloud 7.15 (Oct 30, 2019)
- Graphics Driver:
- Available for: Windows 7 and later
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2019-8784: Vasiliy Vasilyev and Ilya Finogeev of Webinar, LLC
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team
- CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech
- CVE-2019-8814: Cheolung Lee of LINE+ Security Team
- CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech
- CVE-2019-8819: Cheolung Lee of LINE+ Security Team
- CVE-2019-8820: Samuel Groß of Google Project Zero
- CVE-2019-8821: Sergei Glazunov of Google Project Zero
- CVE-2019-8822: Sergei Glazunov of Google Project Zero
- CVE-2019-8823: Sergei Glazunov of Google Project Zero
- WebKit Process Model:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2019-8815: Apple
New in iCloud 7.14 (Oct 8, 2019)
- UIFoundation:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
- Description: A buffer overflow was addressed with improved bounds checking.
- CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue was addressed with improved state management.
- CVE-2019-8625: Sergei Glazunov of Google Project Zero
- CVE-2019-8719: Sergei Glazunov of Google Project Zero
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative
- CVE-2019-8726: Jihui Lu of Tencent KeenLab
- CVE-2019-8733: Sergei Glazunov of Google Project Zero
- CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative
- CVE-2019-8763: Sergei Glazunov of Google Project Zero
New in iCloud 7.13 (Jul 24, 2019)
- libxslt:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to view sensitive information
- Description: A stack overflow was addressed with improved input validation.
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue was addressed with improved state management.
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.
New in iCloud 7.12 (May 29, 2019)
- SQLite:
- Available for: Windows 7 and later
- Impact: An application may be able to gain elevated privileges
- Description: An input validation issue was addressed with improved memory handling.
- CVE-2019-8577: Omer Gull of Checkpoint Research
- SQLite:
- Available for: Windows 7 and later
- Impact: A maliciously crafted SQL query may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved input validation.
- CVE-2019-8600: Omer Gull of Checkpoint Research
- SQLite:
- Available for: Windows 7 and later
- Impact: A malicious application may be able to read restricted memory
- Description: An input validation issue was addressed with improved input validation.
- CVE-2019-8598: Omer Gull of Checkpoint Research
- SQLite:
- Available for: Windows 7 and later
- Impact: A malicious application may be able to elevate privileges
- Description: A memory corruption issue was addressed by removing the vulnerable code.
- CVE-2019-8602: Omer Gull of Checkpoint Research
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may result in the disclosure of process memory
- Description: An out-of-bounds read was addressed with improved input validation.
- CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team
- CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative
- CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech
- CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative
- CVE-2019-8586: an anonymous researcher
- CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
- CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
- CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative
- CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
- CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
- CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative
- CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
- CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
- CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
- CVE-2019-8611: Samuel Groß of Google Project Zero
- CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative
- CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
- CVE-2019-8622: Samuel Groß of Google Project Zero
- CVE-2019-8623: Samuel Groß of Google Project Zero
- CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
New in iCloud 7.9.0.9 (Dec 6, 2018)
- Safari:
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: A logic issue was addressed with improved state management.
- CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com)
- Safari:
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to user interface spoofing
- Description: A logic issue was addressed with improved validation.
- CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com)
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
- CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2018-4441: lokihardt of Google Project Zero
- CVE-2018-4442: lokihardt of Google Project Zero
- CVE-2018-4443: lokihardt of Google Project Zero
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.
New in iCloud 7.8.1.12 (Dec 6, 2018)
- Safari:
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: A logic issue was addressed with improved state management.
- CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com)
- Safari:
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to user interface spoofing
- Description: A logic issue was addressed with improved validation.
- CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com)
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
- CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2018-4441: lokihardt of Google Project Zero
- CVE-2018-4442: lokihardt of Google Project Zero
- CVE-2018-4443: lokihardt of Google Project Zero
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.
New in iCloud 7.7 Build 27 (Oct 9, 2018)
- WebKit
- Available for: Windows 7 and later
- Impact: Unexpected interaction causes an ASSERT failure
- Description: A memory corruption issue was addressed with improved validation.
- CVE-2018-4191: found by OSS-Fuzz
- WebKit
- Available for: Windows 7 and later
- Impact: Cross-origin SecurityErrors includes the accessed frame’s origin
- Description: The issue was addressed by removing origin information.
- CVE-2018-4311: Erling Alf Ellingsen (@steike)
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4299: Samuel Groβ (saelo) working with Trend Micro's Zero Day Initiative
- CVE-2018-4323: Ivan Fratric of Google Project Zero
- CVE-2018-4328: Ivan Fratric of Google Project Zero
- CVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative
- CVE-2018-4359: Samuel Groß (@5aelo)
- WebKit
- Available for: Windows 7 and later
- Impact: A malicious website may cause unexepected cross-origin behavior
- Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins.
- CVE-2018-4319: John Pettitt of Google
- WebKit
- Available for: Windows 7 and later
- Impact: A malicious website may be able to execute scripts in the context of another website
- Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation.
- CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2018-4197: Ivan Fratric of Google Project Zero
- CVE-2018-4306: Ivan Fratric of Google Project Zero
- CVE-2018-4312: Ivan Fratric of Google Project Zero
- CVE-2018-4314: Ivan Fratric of Google Project Zero
- CVE-2018-4315: Ivan Fratric of Google Project Zero
- CVE-2018-4317: Ivan Fratric of Google Project Zero
- CVE-2018-4318: Ivan Fratric of Google Project Zero
- WebKit
- Available for: Windows 7 and later
- Impact: A malicious website may exfiltrate image data cross-origin
- Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation.
- CVE-2018-4345: an anonymous researcher
- WebKit
- Available for: Windows 7 and later
- Impact: Unexpected interaction causes an ASSERT failure
- Description: A memory consumption issue was addressed with improved memory handling.
- CVE-2018-4361: found by Google OSS-Fuzz
New in iCloud 7.6 Build 15 (Jul 10, 2018)
- CFNetwork:
- Available for: Windows 7 and later
- Impact: Cookies may unexpectedly persist in Safari
- Description: A cookie management issue was addressed with improved checks.
- CVE-2018-4293: an anonymous researcher
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2018-4270: found by OSS-Fuzz
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A type confusion issue was addressed with improved memory handling.
- CVE-2018-4284: Found by OSS-Fuzz
- WebKit:
- Available for: Windows 7 and later
- Impact: A malicious website may exfiltrate audio data cross-origin
- Description: Sound fetched through audio elements may be exfiltrated cross-originThis issue was addressed with improved audio taint tracking.
- CVE-2018-4278: Jun Kokatsu (@shhnjk)
- WebKit:
- Available for: Windows 7 and later
- Impact: A malicious website may be able to cause a denial of service
- Description: A race condition was addressed with additional validation.
- CVE-2018-4266: found by OSS-Fuzz
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4261: Omair working with Trend Micro's Zero Day Initiative
- CVE-2018-4262: Mateusz Krzywicki working with Trend Micro's Zero Day Initiative
- CVE-2018-4263: Arayz working with Trend Micro's Zero Day Initiative
- CVE-2018-4264: found by OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab
- CVE-2018-4265: cc working with Trend Micro's Zero Day Initiative
- CVE-2018-4267: Arayz of Pangu team working with Trend Micro's Zero Day Initiative
- CVE-2018-4272: found by OSS-Fuzz
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
- Description: Multiple memory corruption issues were addressed with improved input validation.
- CVE-2018-4271: found by OSS-Fuzz
- CVE-2018-4273: found by OSS-Fuzz
New in iCloud 7.5 Build 34 (Jun 5, 2018)
- Security:
- Impact: A local user may be able to read a persistent device identifier
- Description: An authorization issue was addressed with improved state management.
- Impact: A local user may be able to modify the state of the Keychain
- Description: An authorization issue was addressed with improved state management.
- Impact: A local user may be able to view sensitive user information
- Description: An authorization issue was addressed with improved state management.
- WebKit:
- Impact: Visiting a maliciously crafted website may lead to cookies being overwritten
- Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A race condition was addressed with improved locking.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
- Description: A memory corruption issue was addressed with improved input validation.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A type confusion issue was addressed with improved memory handling.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved state management.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: An inconsistent user interface issue was addressed with improved state management.
- Impact: Visiting a maliciously crafted website may leak sensitive data
- Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A buffer overflow issue was addressed with improved memory handling.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation.
New in iCloud 7.4 Build 111 (Mar 31, 2018)
- Security:
- Impact: A malicious application may be able to elevate privileges
- Description: A buffer overflow was addressed with improved size validation.
- WebKit:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- WebKit:
- Impact: Unexpected interaction with indexing types causing an ASSERT failure
- Description: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks.
- WebKit:
- Impact: Processing maliciously crafted web content may lead to a denial of service
- Description: A memory corruption issue was addressed through improved input validation.
- WebKit:
- Impact: A malicious website may exfiltrate data cross-origin
- Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation.
New in iCloud 7.3 Build 20 (Jan 24, 2018)
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4088: Jeonghoon Shin of Theori
- CVE-2018-4096: found by OSS-Fuzz
New in iCloud 7.2.0.67 (Dec 14, 2017)
- APNs Server:
- Available for: Windows 7 and later
- Impact: An attacker in a privileged network position can track a user
- Description: A privacy issue existed in the use of client certificates. This issue was addressed through a revised protocol
- CVE-2017-13864: FURIOUSMAC Team of United States Naval Academy
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling
- CVE-2017-7156: an anonymous researcher
- CVE-2017-7157: an anonymous researcher
- CVE-2017-13856: Jeonghoon Shin
- CVE-2017-13870: an anonymous researcher
- CVE-2017-13866: an anonymous researcher
New in iCloud 7.0.1.210 (Sep 25, 2017)
- SQLite
- Available for: Windows 7 and later
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7127: an anonymous researcher
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed through improved input validation.
- CVE-2017-7081: Apple
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2017-7087: Apple
- CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Micro’s Zero Day Initiative
- CVE-2017-7092: Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative, Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team
- CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative
- CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group
- CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Micro’s Zero Day Initiative
- CVE-2017-7096: Wei Yuan of Baidu Security Lab
- CVE-2017-7098: Felipe Freitas of Instituto Tecnológico de Aeronáutica
- CVE-2017-7099: Apple
- CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53
- CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University
- CVE-2017-7104: likemeng of Baidu Secutity Lab
- CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University
- CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative
- CVE-2017-7117: lokihardt of Google Project Zero
- CVE-2017-7120: chenqin (??) of Ant-financial Light-Year Security Lab
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue existed in the handling of parent-tab. This issue was addressed with improved state management.
- CVE-2017-7089: Frans Rosén of Detectify, Anton Lopanitsyn of ONSEC
- WebKit
- Available for: Windows 7 and later
- Impact: Cookies belonging to one origin may be sent to another origin
- Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes.
- CVE-2017-7090: Apple
- WebKit
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: An inconsistent user interface issue was addressed with improved state management.
- CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)
- WebKit
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
- Description: Application Cache policy may be unexpectedly applied.
- CVE-2017-7109: avlidienbrunn
New in iCloud 6.2.2.39 (May 15, 2017)
- Multiple memory corruption issues were addressed with improved memory handling.
New in iCloud 6.2.1.67 (Mar 28, 2017)
- APNs Server:
- Available for: Windows 7 and later
- Impact: An attacker in a privileged network position can track a user's activity
- Description: A client certificate was sent in plaintext. This issue was addressed through improved certificate handling.
- libxslt:
- Available for: Windows 7 and later
- Impact: Multiple vulnerabilities in libxslt
- Description: Multiple memory corruption issues were addressed through improved memory handling.
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed through improved memory handling.
- WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
- Description: A validation issue existed in element handling. This issue was addressed through improved validation.
New in iCloud 6.1.0.30 (Dec 13, 2016)
- WebKit:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed through improved memory handling.
- Impact: Processing maliciously crafted web content may result in the disclosure of process memory
- Description: A memory corruption issue was addressed through improved state management.
- Windows Security:
- Impact: A local user may be able to leak sensitive user information
- Description: The iCloud desktop client failed to clear sensitive information in memory. This issue was addressed through improved memory handling.
New in iCloud 6.0.1.41 (Sep 21, 2016)
- WebKit:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed through improved memory handling
- CVE-2016-4762: Zheng Huang of Baidu Security Lab
New in iCloud 5.1.0.34 (Dec 8, 2015)
- iCloud for Windows 5.1 supports Outlook 2016. Update iCloud for Windows now to access your iCloud Mail, Contacts, and Calendars in Outlook 2016.