Nacionalni CERT

Nadogradnja za operativne sustave macOS High Sierra i El Capitan

<p>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />APPLE-SA-2017-12-6-1 macOS High Sierra 10.13.2, Security Update<br />2017-002 Sierra, and Security Update 2017-005 El Capitan<br /><br />macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and<br />Security Update 2017-005 El Capitan are now available and address<br />the following:<br /><br />apache<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: Processing a maliciously crafted Apache configuration<br />directive may result in the disclosure of process memory<br />Description: Multiple issues were addressed by updating to<br />version 2.4.28.<br />CVE-2017-9798<br /><br />curl<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: Malicious FTP servers may be able to cause the client to read<br />out-of-bounds memory<br />Description: An out-of-bounds read issue existed in the FTP PWD<br />response parsing. This issue was addressed with improved bounds<br />checking.<br />CVE-2017-1000254: Max Dymond<br /><br />Directory Utility<br />Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1<br />Not impacted: macOS Sierra 10.12.6 and earlier<br />Impact: An attacker may be able to bypass administrator<br />authentication without supplying the administrator's password<br />Description: A logic error existed in the validation of credentials.<br />This was addressed with improved credential validation.<br />CVE-2017-13872<br /><br />Intel Graphics Driver<br />Available for: macOS High Sierra 10.13.1<br />Impact: An application may be able to execute arbitrary code with<br />kernel privileges<br />Description: A memory corruption issue was addressed with improved<br />memory handling.<br />CVE-2017-13883: an anonymous researcher<br /><br />Intel Graphics Driver<br />Available for: macOS High Sierra 10.13.1<br />Impact: A local user may be able to cause unexpected system<br />termination or read kernel memory<br />Description: An out-of-bounds read issue existed that led to the<br />disclosure of kernel memory. This was addressed through improved<br />input validation.<br />CVE-2017-13878: Ian Beer of Google Project Zero<br /><br />Intel Graphics Driver<br />Available for: macOS High Sierra 10.13.1<br />Impact: An application may be able to execute arbitrary code with<br />system privileges<br />Description: An out-of-bounds read was addressed through improved<br />bounds checking.<br />CVE-2017-13875: Ian Beer of Google Project Zero<br /><br />IOAcceleratorFamily<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to execute arbitrary code with<br />system privileges<br />Description: A memory corruption issue was addressed with improved<br />memory handling.<br />CVE-2017-13844: found by IMF developed by HyungSeok Han (daramg.gift)<br />of SoftSec, KAIST (softsec.kaist.ac.kr)<br /><br />IOKit<br />Available for: macOS High Sierra 10.13.1<br />Impact: An application may be able to execute arbitrary code with<br />system privileges<br />Description: An input validation issue existed in the kernel. This<br />issue was addressed through improved input validation.<br />CVE-2017-13848: Alex Plaskett of MWR InfoSecurity<br />CVE-2017-13858: an anonymous researcher<br /><br />IOKit<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to execute arbitrary code with<br />system privileges<br />Description: Multiple memory corruption issues were addressed through<br />improved state management.<br />CVE-2017-13847: Ian Beer of Google Project Zero<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to execute arbitrary code with<br />kernel privileges<br />Description: A memory corruption issue was addressed with improved<br />memory handling.<br />CVE-2017-13862: Apple<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to read restricted memory<br />Description: An out-of-bounds read was addressed with improved bounds<br />checking.<br />CVE-2017-13833: Brandon Azad<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1<br />Impact: An application may be able to execute arbitrary code with<br />kernel privileges<br />Description: A memory corruption issue was addressed with improved<br />memory handling.<br />CVE-2017-13876: Ian Beer of Google Project Zero<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to read restricted memory<br />Description: A type confusion issue was addressed with improved<br />memory handling.<br />CVE-2017-13855: Jann Horn of Google Project Zero<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: A malicious application may be able to execute arbitrary<br />code with kernel privileges<br />Description: A memory corruption issue was addressed with improved<br />memory handling.<br />CVE-2017-13867: Ian Beer of Google Project Zero<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1<br />Impact: An application may be able to read restricted memory<br />Description: A validation issue was addressed with improved input<br />sanitization.<br />CVE-2017-13865: Ian Beer of Google Project Zero<br /><br />Kernel<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to read restricted memory<br />Description: A validation issue was addressed with improved input<br />sanitization.<br />CVE-2017-13868: Brandon Azad<br />CVE-2017-13869: Jann Horn of Google Project Zero<br /><br />Mail<br />Available for: macOS High Sierra 10.13.1<br />Impact: A S/MIME encrypted email may be inadvertently sent<br />unencrypted if the receiver's S/MIME certificate is not installed<br />Description: An inconsistent user interface issue was addressed with<br />improved state management.<br />CVE-2017-13871: an anonymous researcher<br /><br />Mail Drafts<br />Available for: macOS High Sierra 10.13.1<br />Impact: An attacker with a privileged network position may be able to<br />intercept mail<br />Description: An encryption issue existed with S/MIME credetials. The<br />issue was addressed with additional checks and user control.<br />CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH<br /><br />OpenSSL<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X<br />El Capitan 10.11.6<br />Impact: An application may be able to read restricted memory<br />Description: An out-of-bounds read issue existed in<br />X.509 IPAddressFamily parsing. This issue was addressed with improved<br />bounds checking.<br />CVE-2017-3735: found by OSS-Fuzz<br /><br />Screen Sharing Server<br />Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6<br />Impact: A user with screen sharing access may be able to access any<br />file readable by root<br />Description: A permissions issue existed in the handling of screen<br />sharing sessions. This issue was addressed with improved permissions<br />handling.<br />CVE-2017-13826: Trevor Jacques of Toronto<br /><br />Installation note:<br /><br />macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and<br />Security Update 2017-005 El Capitan may be obtained from the<br />Mac App Store or Apple's Software Downloads web site:<br />https://support.apple.com/downloads/<br /><br />Information will also be posted to the Apple Security Updates<br />web site: https://support.apple.com/kb/HT201222<br /><br />This message is signed with Apple's Product Security PGP key,<br />and details are available at:<br />https://www.apple.com/support/security/pgp/<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlooN9kpHHByb2R1Y3Qt<br />c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbvlg/7<br />Bub6HL7Bv+9taMMz+3Rl2exjVIBv3fUflhpLh1524wFe6UjUyy4Z3X0t/LKogGwb<br />GkHmcvDTK+85yLJeF0XQLHzzeITPrAiQ06FSnpzq6GjDEgczgbyJtw6aT4iagDgK<br />NYfWnmU1XDjpx35kjEyyZblIxDHsvMJRelMdjx4w6In3Pgi+DG+ndYbK5hoaImOX<br />Ywaoc2xzGUXpnJU6Y5tkIbVBF4P4tZQcJJt6cfhTOcR9+ut87HQqc9mo1UGMUqAv<br />z0kYZ4MtGRM4uDiVynkKxwj+NNtSVxwvf1mN2Jb7ApFt0lAfmS8L8xzI15NlbJxJ<br />oSuIvVi3pAhOkO7etaC/CLOxw+wRGaRbaf1i4VmaLI6HW2H2/vWiL1KDhHFIIfVq<br />xBGday+yWkaS9o8B85QZy2GHxEFYxzMvArtzK3tBj2kZCuEcJis60CanwZOSbcsp<br />4IlEKVGabMNwGwOVX22UwrLCtMzsqSVZpYyKy/m7n6DXnpspuWTohDmc68zq/4nj<br />5LgGTFz8IUaT1ujQZq9g4siVeXzu0bsAgttauRlrWilUsDtpsv5s+dkGlXPFxbDf<br />BuvNgqGSg/xz0QRGmJ7UA3g3L7fTvWhOzXnBOh7c45OpYT54tqGIEi6Bk72NyPz+<br />ioQ7LBPJE6RCSy5XZJ6x8YwSYp+kO8BBPaYsxSoxXCs=<br />=2VBd<br />-----END PGP SIGNATURE-----<br /><br /> _______________________________________________<br />Do not post admin requests to the list. They will be ignored.<br />Security-announce mailing list (Security-announce@lists.apple.com)</p>
Apple je izdao nadogradnju za operativne sustave macOS High Sierra i El Capitan. Otkriveni nedostaci zahvaćaju mnoge komponente, a ovisno o tipu nedostatka mogli bi biti iskorišteni za otkrivanje procesne memorije, izazivanje DoS stanja, zaobilaženje sigurnosnih ograničenja, izvršavanje proizvoljnog programskog koda s uvećanim ovlastima ili otkrivanje osjetljivih informacija. Savjetuje se ažuriranje izdanim zakrpama te čitanje izvorne preporuke za više detalja.