SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   OS (Other)  >   Apple iOS Vendors:   Apple
Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges
SecurityTracker Alert ID:  1039703
SecurityTracker URL:  http://securitytracker.com/id/1039703
CVE Reference:   CVE-2017-13080, CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13799, CVE-2017-13802, CVE-2017-13803, CVE-2017-13804, CVE-2017-13805, CVE-2017-13844, CVE-2017-13849, CVE-2017-7113   (Links to External Site)
Date:  Oct 31 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.1
Description:   Multiple vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can modify data on the target system. A remote user can cause the target application to crash. A local user can obtain potentially sensitive information. An application can obtain elevated privileges on the target system.

A remote user can trigger a memory handling error in the CoreText component to cause denial of service conditions [CVE-2017-13849].

An application can trigger a memory corruption error in the the kernel component to execute arbitrary code with kernel privileges [CVE-2017-13799].

A physically local user can exploit a flaw in the Messages application to access photos on the locked target device via the Reply With Message function [CVE-2017-13844].

A physically local user can trigger a flaw in the Siri component to read notifications on the target system [CVE-2017-13805].

A remote user can create a specially crafted zip file that, when loaded by the target user, will trigger a path handling flaw in the StreamingZip component to modify restricted areas of the file system [CVE-2017-13804].

A physically local user can exploit a flaw in the UIKit component to view characters in a secure text field [CVE-2017-7113].

A remote user can trigger a memory corruption error in the WebKit component to execute arbitrary code [CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13802, CVE-2017-13803].

A remote user on the local network can cause the Wi-Fi component to reuse a nonce to potentially decrypt Wi-Fi connection data [CVE-2017-13080].

@qwertyoruiopz at KJC Research Intl. S.R.L., Hanul Choi (via Trend Micro's Zero Day Initiative), Ivan Fratric of Google Project Zero, Mathy Vanhoef of the imec-DistriNet group at KU Leuven, Miguel Alvarado of iDeviceHelp INC, Ro of SavSec, YiAYit Can YILMAZ (@yilmazcanyigit), an anonymous researcher, Duraiamuthan Harikrishnan of Tech Mahindra, Ricardo Sampayo of Bemo Ltd, chenqin of Ant-financial Light-Year Security, and xisigr of Tencent's Xuanwu Lab (tencent.com) reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can modify data on the target system.

A remote user can cause the target service to crash.

A local user can obtain potentially sensitive information on the target system.

An application can obtain elevated privileges on the target system.

Solution:   The vendor has issued a fix (11.1).

The vendor advisory is available at:

https://support.apple.com/en-us/HT208222

Vendor URL:  support.apple.com/en-us/HT208222 (Links to External Site)
Cause:   Access control error, Input validation error, State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 31 2017 (Apple Issues Fix for Apple Safari) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges
Apple has issued a fix for Apple Safari.
Nov 1 2017 (Apple Issues Fix for Apple Watch) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges
Apple has issued a fix for Apple Watch.
Nov 1 2017 (Apple Issues Fix for Apple iTunes for Windows) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges
Apple has issued a fix for Apple iTunes for Windows.
Nov 1 2017 (Apple Issues Fix for Apple TV) Apple iOS Multiple Flaws Let Remote Users Execute Arbitrary Code, Modify Data, and Cause Denial of Service Conditions, Local and Remote Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges
Apple has issued a fix for Apple TV.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC