—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
APPLE-SA-2017-03-27-2 Safari 10.1
Safari 10.1 is now available and addresses the following:
CoreGraphics
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2017-2444: Mei Wang of 360 GearTeam
Safari
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue was addressed by disabling text
input until the destination page loads.
CVE-2017-2376: Chris Hlady of Google Inc, Muneaki Nishimura
(nishimunea) of Recruit Technologies Co., Ltd., Yuyang Zhou of
Tencent Security Platform Department (security.tencent.com), Michal
Zalewski of Google Inc, an anonymous researcher, an anonymous
researcher
Safari
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may present
authentication sheets over arbitrary web sites
Description: A spoofing issue existed in the handling of HTTP
authentication. This issue was addressed through making HTTP
authentication sheets non-modal.
CVE-2017-2389: ShenYeYinJiu of Tencent Security Response Center, TSRC
Safari
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: A spoofing issue existed in the handling of FaceTime
prompts. This issue was addressed through improved input validation.
CVE-2017-2453: xisigr of Tencent’s Xuanwu Lab (tencent.com)
Safari Login AutoFill
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: A local user may be able to access locked keychain items
Description: A keychain handling issue was addressed through improved
keychain item management.
CVE-2017-2385: Simon Woodside of MedStack
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Dragging and dropping a maliciously crafted link may lead to
bookmark spoofing or arbitrary code execution
Description: A validation issue existed in bookmark creation. This
issue was addressed through improved input validation.
CVE-2017-2378: xisigr of Tencent’s Xuanwu Lab (tencent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A prototype access issue was addressed through improved
exception handling.
CVE-2017-2386: André Bargull
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved input validation.
CVE-2016-9642: Gustavo Grieco
CVE-2017-2394: Apple
CVE-2017-2396: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2395: Apple
CVE-2017-2454: Ivan Fratric of Google Project Zero
CVE-2017-2455: Ivan Fratric of Google Project Zero
CVE-2017-2459: Ivan Fratric of Google Project Zero
CVE-2017-2460: Ivan Fratric of Google Project Zero
CVE-2017-2464: Natalie Silvanovich of Google Project Zero, Jeonghoon
Shin
CVE-2017-2465: Zheng Huang and Wei Yuan of Baidu Security Lab
CVE-2017-2466: Ivan Fratric of Google Project Zero
CVE-2017-2468: lokihardt of Google Project Zero
CVE-2017-2469: lokihardt of Google Project Zero
CVE-2017-2470: lokihardt of Google Project Zero
CVE-2017-2476: Ivan Fratric of Google Project Zero
CVE-2017-2481: 0011 working with Trend Micro’s Zero Day Initiative
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2017-2415: Kai Kang of Tencent’s Xuanwu Lab (tentcent.com)
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
unexpectedly unenforced Content Security Policy
Description: An access issue existed in Content Security Policy. This
issue was addressed through improved access restrictions.
CVE-2017-2419: Nicolai Grødum of Cisco Systems
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to high
memory consumption
Description: An uncontrolled resource consumption issue was addressed
through improved regex processing.
CVE-2016-9643: Gustavo Grieco
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An information disclosure issue existed in the
processing of OpenGL shaders. This issue was addressed through
improved memory management.
CVE-2017-2424: Paul Thomson (using the GLFuzz tool) of the Multicore
Programming Group, Imperial College London
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2433: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: Multiple validation issues existed in the handling of
page loading. This issue was addressed through improved logic.
CVE-2017-2364: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: A malicious website may exfiltrate data cross-origin
Description: A validation issue existed in the handling of page
loading. This issue was addressed through improved logic.
CVE-2017-2367: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of frame objects.
This issue was addressed with improved state management.
CVE-2017-2445: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A logic issue existed in the handling of strict mode
functions. This issue was addressed with improved state management.
CVE-2017-2446: Natalie Silvanovich of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Visiting a maliciously crafted website may compromise user
information
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2017-2447: Natalie Silvanovich of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed through improved
memory management.
CVE-2017-2471: Ivan Fratric of Google Project Zero
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in frame handling. This issue was
addressed through improved state management.
CVE-2017-2475: lokihardt of Google Project Zero
WebKit JavaScript Bindings
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: Multiple validation issues existed in the handling of
page loading. This issue was addressed through improved logic.
CVE-2017-2442: lokihardt of Google Project Zero
WebKit Web Inspector
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Closing a window while paused in the debugger may lead to
unexpected application termination
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2377: Vicki Pfau
WebKit Web Inspector
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-2405: Apple
Installation note:
Safari 10.1 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–
Comment: GPGTools – http://gpgtools.org
iQIcBAEBCgAGBQJY2Yo6AAoJEIOj74w0bLRGhF4QALEOLTqQHF6gZnvahvF3wasA
86D3oE4LHUVVSiRq5qLr0mT2Tm4/qQEwDrbUgA7lqR5jJ1ZxB+6cNJf8AeGYwSYs
NYx3kzhSV6y2Bw98JE3NIPbEsnYNKyYK6ExJLpwHbt1a9HdU+VY8Z4tJiEs3pCRW
ndC6znbfia9p9PkLcv+mwkCrGQetgjuTzEofPoUPy1EKvexWiKImrlhtDlNSPP2I
b1v7puQfGTH2iGecMvCIENTyNW7OOmRwN7bzs7S5m+ztGBq1Ti6auAT/59mSD5HI
CQgqfTYPvvIN6oowMiGsy5l5uIAXF7/5eP9jyf2ygewGvVY26gum/PGskhWERRHl
RwYOwCs5EEfPRj0z2m+8BcRe5YVfrB8A1mSHkPQU+UaScwYxh0kjN9fsQPT1PCSd
Ks8H+1FVgcbTH2zp4bYPgdupyerX8Dh2cC3Doaemp4qW0d+/v5mhSPHq4zIBQoJ6
C5TsVM7JyVOMHXHGpWooyPDVVtzb5/ve0UgCqJ1rTFEzOFuJN313hP5f00woguTY
4B0NV+XlVrfmk3CWy7vx0grs5vKC6Vgz8rDilLeBfmVqUlZ4Hn75W24pEHIa24sB
lPDffw4xrnGYFASDRC/Ch464/myq9TIETzTkW5zzLw4jLnIAXjpPWusiT6gKdQP8
GmR5lxoaaeZxH8hQc5ui
=p/K5
—–END PGP SIGNATURE—–
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)