SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   Apple macOS/OS X Vendors:   Apple
Apple macOS/OS X Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information and Let Local Users Obtain Potentially Sensitive Information and Gain Elevated Privileges
SecurityTracker Alert ID:  1038951
SecurityTracker URL:  http://securitytracker.com/id/1038951
CVE Reference:   CVE-2017-7014, CVE-2017-7015, CVE-2017-7016, CVE-2017-7017, CVE-2017-7021, CVE-2017-7031, CVE-2017-7032, CVE-2017-7033, CVE-2017-7035, CVE-2017-7036, CVE-2017-7044, CVE-2017-7045, CVE-2017-7050, CVE-2017-7051, CVE-2017-7054, CVE-2017-7067   (Links to External Site)
Date:  Jul 19 2017
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.12.5 and prior
Description:   Multiple vulnerabilities were reported in Apple macOS/OS X. A remote user can cause arbitrary code to be executed on the target user's system. A remote or local user can obtain potentially sensitive information from system memory. An application can obtain elevated privileges on the target system.

An application can trigger a memory corruption error in the Intel Graphics Driver component to execute arbitrary code with system privileges [CVE-2017-7014, CVE-2017-7017, CVE-2017-7035, CVE-2017-7044].

A remote user can trigger a memory corruption error in the Audio component to obtain potentially sensitive information from restricted memory [CVE-2017-7015].

A remote user can trigger a memory corruption error in the afclip component to execute arbitrary code [CVE-2017-7016].

An application can trigger a memory corruption error in the AppleGraphicsPowerManagement component to execute arbitrary code with system privileges [CVE-2017-7021].

A remote user can trigger a memory corruption error in the Foundation component to execute arbitrary code [CVE-2017-7031].

An application can trigger a memory corruption error in the kext tools component to execute arbitrary code with system privileges [CVE-2017-7032].

A remote user can trigger a memory corruption error in the afclip component to execute arbitrary code [CVE-2017-7033].

An application can trigger a input validation flaw in the Intel Graphics Driver component to read restricted memory [CVE-2017-7036, CVE-2017-7045].

An application can trigger a memory corruption error in the Bluetooth component to execute arbitrary code with system privileges [CVE-2017-7050, CVE-2017-7051].

An application can trigger a memory corruption error in the Bluetooth component to execute arbitrary code with kernel privileges [CVE-2017-7054].

An application can trigger a input validation flaw in the the kernel component to read restricted memory [CVE-2017-7067].

Alex Plaskett of MWR InfoSecurity, Axis and sss of Qihoo 360 Nirvan Team, Lee of Minionz, HappilyCoded (ant4g0nist and r3dsm0k3), Lufeng Li of Qihoo 360 Vulcan Team, Min (Spark) Zheng of Alibaba Inc., chenqin of Ant-financial Light-Year Security Lab, riusksk of Tencent Security Platform Department, and shrek_wzw of Qihoo 360 Nirvan Team reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

An application can obtain potentially sensitive information from system memory on the target system.

An application can obtain elevated privileges on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (10.12.6, Security Update 2017-003 El Capitan, Security Update 2017-003 Yosemite).

The vendor advisory is available at:

https://support.apple.com/kb/HT207922

Vendor URL:  support.apple.com/kb/HT207922 (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC