Softpedia >Windows >Internet >Remote Utils >iCloud >  Changelog

iCloud Changelog

What's new in iCloud 14.1.108.0 Store App

Dec 14, 2022
  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted file may lead to arbitrary code execution
  • Description: An out-of-bounds write issue was addressed with improved input validation.
  • CVE-2022-46693: Mickey Jin (@patch1t)
  • WebKit:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may bypass Same Origin Policy
  • Description: A logic issue was addressed with improved state management.
  • WebKit Bugzilla: 246783
  • CVE-2022-46692: KirtiKumar Anandrao Ramchandani
  • WebKit:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may disclose sensitive user information
  • Description: A logic issue was addressed with improved checks.
  • CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

New in iCloud 12.3.74.10 Store App (Apr 27, 2021)

  • CFNetwork:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may disclose sensitive user information
  • Description: A memory initialization issue was addressed with improved memory handling.
  • CVE-2021-1857: an anonymous researcher
  • CoreText:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted font may result in the disclosure of process memory
  • Description: A logic issue was addressed with improved state management.
  • CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab
  • WebKit:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
  • Description: An input validation issue was addressed with improved input validation.
  • CVE-2021-1825: Alex Camboe of Aon’s Cyber Solutions
  • WebRTC:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-7463: Megan2013678

New in iCloud 12.2.0.10 Store App (Feb 17, 2021)

  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2020-29611: Ivan Fratric of Google Project Zero
  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2020-29618: Xingwei Lin of Ant Security Light-Year Lab
  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted image may lead to heap corruption
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2020-29617: Xingwei Lin of Ant Security Light-Year Lab
  • CVE-2020-29619: Xingwei Lin of Ant Security Light-Year Lab

New in iCloud 11.5 Store App (Dec 3, 2020)

  • Foundation:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A local user may be able to read arbitrary files
  • Description: A logic issue was addressed with improved state management.
  • CVE-2020-10002: James Hutchins
  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2020-9961: Xingwei Lin of Ant Security Light-Year Lab
  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds write was addressed with improved input validation.
  • CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab
  • ImageIO:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2020-9876: Mickey Jin of Trend Micro
  • libxml2:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may lead to code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-27917: found by OSS-Fuzz
  • libxml2:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
  • Description: An integer overflow was addressed through improved input validation.
  • CVE-2020-27911: found by OSS-Fuzz
  • libxml2:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing a maliciously crafted file may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-9981: found by OSS-Fuzz
  • SQLite:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A remote attacker may be able to cause a denial of service
  • Description: This issue was addressed with improved checks.
  • CVE-2020-13434
  • CVE-2020-13435
  • SQLite:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A remote attacker may be able to cause arbitrary code execution
  • Description: A memory corruption issue was addressed with improved state management.
  • CVE-2020-13630
  • SQLite:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A remote attacker may be able to leak memory
  • Description: An information disclosure issue was addressed with improved state management.
  • CVE-2020-9849
  • SQLite:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: A maliciously crafted SQL query may lead to data corruption
  • Description: This issue was addressed with improved checks.
  • CVE-2020-13631
  • WebKit:
  • Available for:
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
  • CVE-2020-27918: an anonymous researcher
  • WebKit:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may lead to code execution
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2020-9983: zhunki
  • WebKit:
  • Available for: Windows 10 and later via the Microsoft Store
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-27918: an anonymous researcher
  • CVE-2020-9947: cc working with Trend Micro Zero Day Initiative
  • CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos

New in iCloud 11.4 Store App (Sep 25, 2020)

  • WebKit:
  • Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
  • Description: An input validation issue was addressed with improved input validation.
  • CVE-2020-9952: Ryan Pickren (ryanpickren.com)

New in iCloud 7.20 (Aug 11, 2020)

  • ImageIO:
  • Available for: Windows 7 and later
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab
  • CVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab
  • CVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab
  • CVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab
  • CVE-2020-9936: Mickey Jin of Trend Micro
  • CVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab
  • ImageIO:
  • Available for: Windows 7 and later
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab
  • CVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab
  • ImageIO:
  • Available for: Windows 7 and later
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved bounds checking.
  • CVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab
  • ImageIO:
  • Available for: Windows 7 and later
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2020-9919: Mickey Jin of Trend Micro
  • ImageIO:
  • Available for: Windows 7 and later
  • Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2020-9876: Mickey Jin of Trend Micro
  • ImageIO:
  • Available for: Windows 7 and later
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An integer overflow was addressed through improved input validation.
  • CVE-2020-9875: Mickey Jin of Trend Micro
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
  • Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
  • CVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue was addressed with improved state management.
  • CVE-2020-9925: an anonymous researcher
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
  • CVE-2020-9895: Wen Xu of SSLab, Georgia Tech
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
  • Description: Multiple issues were addressed with improved logic.
  • CVE-2020-9910: Samuel Groß of Google Project Zero
  • WebKit Page Loading:
  • Available for: Windows 7 and later
  • Impact: A malicious attacker may be able to conceal the destination of a URL
  • Description: A URL Unicode encoding issue was addressed with improved state management.
  • CVE-2020-9916: Rakesh Mane (@RakeshMane10)
  • WebKit Web Inspector:
  • Available for: Windows 7 and later
  • Impact: Copying a URL from Web Inspector may lead to command injection
  • Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
  • CVE-2020-9862: Ophir Lojkine (@lovasoa)

New in iCloud 7.18 (Mar 25, 2020)

  • libxml2
  • Available for: Windows 7 and later
  • Impact: Multiple issues in libxml2
  • Description: A buffer overflow was addressed with improved size validation.
  • CVE-2020-3910: LGTM.com
  • libxml2
  • Available for: Windows 7 and later
  • Impact: Multiple issues in libxml2
  • Description: A buffer overflow was addressed with improved bounds checking.
  • CVE-2020-3909: LGTM.com
  • CVE-2020-3911: found by OSS-Fuzz
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2020-3901: Benjamin Randazzo (@____benjamin)
  • WebKit
  • Available for: Windows 7 and later
  • Impact: A download's origin may be incorrectly associated
  • Description: A logic issue was addressed with improved restrictions.
  • CVE-2020-3887: Ryan Pickren (ryanpickren.com)
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2020-3895: grigoritchy
  • CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech
  • WebKit
  • Available for: Windows 7 and later
  • Impact: An application may be able to read restricted memory
  • Description: A race condition was addressed with additional validation.
  • CVE-2020-3894: Sergei Glazunov of Google Project Zero
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2020-9783: Apple
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A remote attacker may be able to cause arbitrary code execution
  • Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A remote attacker may be able to cause arbitrary code execution
  • Description: A memory consumption issue was addressed with improved memory handling.
  • CVE-2020-3899: found by OSS-Fuzz
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
  • Description: An input validation issue was addressed with improved input validation.
  • CVE-2020-3902: Yigit Can YILMAZ (@yilmazcanyigit)
  • WebKit Page Loading:
  • Available for: Windows 7 and later
  • Impact: A file URL may be incorrectly processed
  • Description: A logic issue was addressed with improved restrictions.
  • CVE-2020-3885: Ryan Pickren (ryanpickren.com)

New in iCloud 7.16 (Dec 12, 2019)

  • CFNetwork Proxies:
  • Available for: Windows 7 and later
  • Impact: An application may be able to gain elevated privileges
  • Description: This issue was addressed with improved checks.
  • CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team
  • libexpat:
  • Available for: Windows 7 and later
  • Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information
  • Description: This issue was addressed by updating to expat version 2.2.8.
  • CVE-2019-15903: Joonun Jang
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8835: Anonymous working with Trend Micro's Zero Day Initiative, Mike Zhang of Pangu Team
  • CVE-2019-8844: William Bowling (@wcbowling)
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2019-8846: Marcin Towalski of Cisco Talos

New in iCloud 7.15 (Oct 30, 2019)

  • Graphics Driver:
  • Available for: Windows 7 and later
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8784: Vasiliy Vasilyev and Ilya Finogeev of Webinar, LLC
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team
  • CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech
  • CVE-2019-8814: Cheolung Lee of LINE+ Security Team
  • CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech
  • CVE-2019-8819: Cheolung Lee of LINE+ Security Team
  • CVE-2019-8820: Samuel Groß of Google Project Zero
  • CVE-2019-8821: Sergei Glazunov of Google Project Zero
  • CVE-2019-8822: Sergei Glazunov of Google Project Zero
  • CVE-2019-8823: Sergei Glazunov of Google Project Zero
  • WebKit Process Model:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8815: Apple

New in iCloud 7.14 (Oct 8, 2019)

  • UIFoundation:
  • Available for: Windows 7 and later
  • Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
  • Description: A buffer overflow was addressed with improved bounds checking.
  • CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue was addressed with improved state management.
  • CVE-2019-8625: Sergei Glazunov of Google Project Zero
  • CVE-2019-8719: Sergei Glazunov of Google Project Zero
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative
  • CVE-2019-8726: Jihui Lu of Tencent KeenLab
  • CVE-2019-8733: Sergei Glazunov of Google Project Zero
  • CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative
  • CVE-2019-8763: Sergei Glazunov of Google Project Zero

New in iCloud 7.13 (Jul 24, 2019)

  • libxslt:
  • Available for: Windows 7 and later
  • Impact: A remote attacker may be able to view sensitive information
  • Description: A stack overflow was addressed with improved input validation.
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue was addressed with improved state management.
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

New in iCloud 7.12 (May 29, 2019)

  • SQLite:
  • Available for: Windows 7 and later
  • Impact: An application may be able to gain elevated privileges
  • Description: An input validation issue was addressed with improved memory handling.
  • CVE-2019-8577: Omer Gull of Checkpoint Research
  • SQLite:
  • Available for: Windows 7 and later
  • Impact: A maliciously crafted SQL query may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved input validation.
  • CVE-2019-8600: Omer Gull of Checkpoint Research
  • SQLite:
  • Available for: Windows 7 and later
  • Impact: A malicious application may be able to read restricted memory
  • Description: An input validation issue was addressed with improved input validation.
  • CVE-2019-8598: Omer Gull of Checkpoint Research
  • SQLite:
  • Available for: Windows 7 and later
  • Impact: A malicious application may be able to elevate privileges
  • Description: A memory corruption issue was addressed by removing the vulnerable code.
  • CVE-2019-8602: Omer Gull of Checkpoint Research
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may result in the disclosure of process memory
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team
  • CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative
  • CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech
  • CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative
  • CVE-2019-8586: an anonymous researcher
  • CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
  • CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
  • CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative
  • CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
  • CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
  • CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative
  • CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
  • CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
  • CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
  • CVE-2019-8611: Samuel Groß of Google Project Zero
  • CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative
  • CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
  • CVE-2019-8622: Samuel Groß of Google Project Zero
  • CVE-2019-8623: Samuel Groß of Google Project Zero
  • CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab

New in iCloud 7.9.0.9 (Dec 6, 2018)

  • Safari:
  • Available for: Windows 7 and later
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: A logic issue was addressed with improved state management.
  • CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com)
  • Safari:
  • Available for: Windows 7 and later
  • Impact: Visiting a malicious website may lead to user interface spoofing
  • Description: A logic issue was addressed with improved validation.
  • CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com)
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
  • CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2018-4441: lokihardt of Google Project Zero
  • CVE-2018-4442: lokihardt of Google Project Zero
  • CVE-2018-4443: lokihardt of Google Project Zero
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

New in iCloud 7.8.1.12 (Dec 6, 2018)

  • Safari:
  • Available for: Windows 7 and later
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: A logic issue was addressed with improved state management.
  • CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com)
  • Safari:
  • Available for: Windows 7 and later
  • Impact: Visiting a malicious website may lead to user interface spoofing
  • Description: A logic issue was addressed with improved validation.
  • CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com)
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
  • CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2018-4441: lokihardt of Google Project Zero
  • CVE-2018-4442: lokihardt of Google Project Zero
  • CVE-2018-4443: lokihardt of Google Project Zero
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

New in iCloud 7.7 Build 27 (Oct 9, 2018)

  • WebKit
  • Available for: Windows 7 and later
  • Impact: Unexpected interaction causes an ASSERT failure
  • Description: A memory corruption issue was addressed with improved validation.
  • CVE-2018-4191: found by OSS-Fuzz
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Cross-origin SecurityErrors includes the accessed frame’s origin
  • Description: The issue was addressed by removing origin information.
  • CVE-2018-4311: Erling Alf Ellingsen (@steike)
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved state management.
  • CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4299: Samuel Groβ (saelo) working with Trend Micro's Zero Day Initiative
  • CVE-2018-4323: Ivan Fratric of Google Project Zero
  • CVE-2018-4328: Ivan Fratric of Google Project Zero
  • CVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative
  • CVE-2018-4359: Samuel Groß (@5aelo)
  • WebKit
  • Available for: Windows 7 and later
  • Impact: A malicious website may cause unexepected cross-origin behavior
  • Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins.
  • CVE-2018-4319: John Pettitt of Google
  • WebKit
  • Available for: Windows 7 and later
  • Impact: A malicious website may be able to execute scripts in the context of another website
  • Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation.
  • CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2018-4197: Ivan Fratric of Google Project Zero
  • CVE-2018-4306: Ivan Fratric of Google Project Zero
  • CVE-2018-4312: Ivan Fratric of Google Project Zero
  • CVE-2018-4314: Ivan Fratric of Google Project Zero
  • CVE-2018-4315: Ivan Fratric of Google Project Zero
  • CVE-2018-4317: Ivan Fratric of Google Project Zero
  • CVE-2018-4318: Ivan Fratric of Google Project Zero
  • WebKit
  • Available for: Windows 7 and later
  • Impact: A malicious website may exfiltrate image data cross-origin
  • Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation.
  • CVE-2018-4345: an anonymous researcher
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Unexpected interaction causes an ASSERT failure
  • Description: A memory consumption issue was addressed with improved memory handling.
  • CVE-2018-4361: found by Google OSS-Fuzz

New in iCloud 7.6 Build 15 (Jul 10, 2018)

  • CFNetwork:
  • Available for: Windows 7 and later
  • Impact: Cookies may unexpectedly persist in Safari
  • Description: A cookie management issue was addressed with improved checks.
  • CVE-2018-4293: an anonymous researcher
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2018-4270: found by OSS-Fuzz
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2018-4284: Found by OSS-Fuzz
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A malicious website may exfiltrate audio data cross-origin
  • Description: Sound fetched through audio elements may be exfiltrated cross-originThis issue was addressed with improved audio taint tracking.
  • CVE-2018-4278: Jun Kokatsu (@shhnjk)
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: A malicious website may be able to cause a denial of service
  • Description: A race condition was addressed with additional validation.
  • CVE-2018-4266: found by OSS-Fuzz
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4261: Omair working with Trend Micro's Zero Day Initiative
  • CVE-2018-4262: Mateusz Krzywicki working with Trend Micro's Zero Day Initiative
  • CVE-2018-4263: Arayz working with Trend Micro's Zero Day Initiative
  • CVE-2018-4264: found by OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light-Year Security Lab
  • CVE-2018-4265: cc working with Trend Micro's Zero Day Initiative
  • CVE-2018-4267: Arayz of Pangu team working with Trend Micro's Zero Day Initiative
  • CVE-2018-4272: found by OSS-Fuzz
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
  • Description: Multiple memory corruption issues were addressed with improved input validation.
  • CVE-2018-4271: found by OSS-Fuzz
  • CVE-2018-4273: found by OSS-Fuzz

New in iCloud 7.5 Build 34 (Jun 5, 2018)

  • Security:
  • Impact: A local user may be able to read a persistent device identifier
  • Description: An authorization issue was addressed with improved state management.
  • Impact: A local user may be able to modify the state of the Keychain
  • Description: An authorization issue was addressed with improved state management.
  • Impact: A local user may be able to view sensitive user information
  • Description: An authorization issue was addressed with improved state management.
  • WebKit:
  • Impact: Visiting a maliciously crafted website may lead to cookies being overwritten
  • Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A race condition was addressed with improved locking.
  • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
  • Description: A memory corruption issue was addressed with improved input validation.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved memory handling.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A type confusion issue was addressed with improved memory handling.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved state management.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • Impact: Visiting a maliciously crafted website may leak sensitive data
  • Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A buffer overflow issue was addressed with improved memory handling.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.

New in iCloud 7.4 Build 111 (Mar 31, 2018)

  • Security:
  • Impact: A malicious application may be able to elevate privileges
  • Description: A buffer overflow was addressed with improved size validation.
  • WebKit:
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • WebKit:
  • Impact: Unexpected interaction with indexing types causing an ASSERT failure
  • Description: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks.
  • WebKit:
  • Impact: Processing maliciously crafted web content may lead to a denial of service
  • Description: A memory corruption issue was addressed through improved input validation.
  • WebKit:
  • Impact: A malicious website may exfiltrate data cross-origin
  • Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation.

New in iCloud 7.3 Build 20 (Jan 24, 2018)

  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4088: Jeonghoon Shin of Theori
  • CVE-2018-4096: found by OSS-Fuzz

New in iCloud 7.2.0.67 (Dec 14, 2017)

  • APNs Server:
  • Available for: Windows 7 and later
  • Impact: An attacker in a privileged network position can track a user
  • Description: A privacy issue existed in the use of client certificates. This issue was addressed through a revised protocol
  • CVE-2017-13864: FURIOUSMAC Team of United States Naval Academy
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling
  • CVE-2017-7156: an anonymous researcher
  • CVE-2017-7157: an anonymous researcher
  • CVE-2017-13856: Jeonghoon Shin
  • CVE-2017-13870: an anonymous researcher
  • CVE-2017-13866: an anonymous researcher

New in iCloud 7.0.1.210 (Sep 25, 2017)

  • SQLite
  • Available for: Windows 7 and later
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7127: an anonymous researcher
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed through improved input validation.
  • CVE-2017-7081: Apple
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2017-7087: Apple
  • CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Micro’s Zero Day Initiative
  • CVE-2017-7092: Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative, Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team
  • CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative
  • CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group
  • CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Micro’s Zero Day Initiative
  • CVE-2017-7096: Wei Yuan of Baidu Security Lab
  • CVE-2017-7098: Felipe Freitas of Instituto Tecnológico de Aeronáutica
  • CVE-2017-7099: Apple
  • CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53
  • CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University
  • CVE-2017-7104: likemeng of Baidu Secutity Lab
  • CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University
  • CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative
  • CVE-2017-7117: lokihardt of Google Project Zero
  • CVE-2017-7120: chenqin (??) of Ant-financial Light-Year Security Lab
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to universal cross site scripting
  • Description: A logic issue existed in the handling of parent-tab. This issue was addressed with improved state management.
  • CVE-2017-7089: Frans Rosén of Detectify, Anton Lopanitsyn of ONSEC
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Cookies belonging to one origin may be sent to another origin
  • Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes.
  • CVE-2017-7090: Apple
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Visiting a malicious website may lead to address bar spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)
  • WebKit
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
  • Description: Application Cache policy may be unexpectedly applied.
  • CVE-2017-7109: avlidienbrunn

New in iCloud 6.2.2.39 (May 15, 2017)

  • Multiple memory corruption issues were addressed with improved memory handling.

New in iCloud 6.2.1.67 (Mar 28, 2017)

  • APNs Server:
  • Available for: Windows 7 and later
  • Impact: An attacker in a privileged network position can track a user's activity
  • Description: A client certificate was sent in plaintext. This issue was addressed through improved certificate handling.
  • libxslt:
  • Available for: Windows 7 and later
  • Impact: Multiple vulnerabilities in libxslt
  • Description: Multiple memory corruption issues were addressed through improved memory handling.
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed through improved memory handling.
  • WebKit:
  • Available for: Windows 7 and later
  • Impact: Processing maliciously crafted web content may exfiltrate data cross-origin
  • Description: A validation issue existed in element handling. This issue was addressed through improved validation.

New in iCloud 6.1.0.30 (Dec 13, 2016)

  • WebKit:
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed through improved memory handling.
  • Impact: Processing maliciously crafted web content may result in the disclosure of process memory
  • Description: A memory corruption issue was addressed through improved state management.
  • Windows Security:
  • Impact: A local user may be able to leak sensitive user information
  • Description: The iCloud desktop client failed to clear sensitive information in memory. This issue was addressed through improved memory handling.

New in iCloud 6.0.1.41 (Sep 21, 2016)

  • WebKit:
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed through improved memory handling
  • CVE-2016-4762: Zheng Huang of Baidu Security Lab

New in iCloud 5.1.0.34 (Dec 8, 2015)

  • iCloud for Windows 5.1 supports Outlook 2016. Update iCloud for Windows now to access your iCloud Mail, Contacts, and Calendars in Outlook 2016.