==================================================================== CERT-Renater Note d'Information No. 2017/VULN157 _____________________________________________________________________ DATE : 18/05/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Safari versions prior to 10.1.1. ===================================================================== https://lists.apple.com/archives/security-announce/2017/May/msg00003.html ____________________________________________________________________ APPLE-SA-2017-05-15-7 Safari 10.1.1 Safari 10.1.1 is now available and addresses the following: Safari Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Visiting a maliciously crafted webpage may lead to an application denial of service Description: An issue in Safari's history menu was addressed through improved memory handling. CVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc. Safari Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-2500: Zhiyang Zeng and Yuyang Zhou of Tencent Security Platform Department CVE-2017-2511: Zhiyang Zeng of Tencent Security Platform Department WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-2496: Apple CVE-2017-2505: lokihardt of Google Project Zero CVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Micro’s Zero Day Initiative CVE-2017-2514: lokihardt of Google Project Zero CVE-2017-2515: lokihardt of Google Project Zero CVE-2017-2521: lokihardt of Google Project Zero CVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab ( tencent.com) working with Trend Micro’s Zero Day Initiative CVE-2017-2526: Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative CVE-2017-2530: Wei Yuan of Baidu Security Lab CVE-2017-2531: lokihardt of Google Project Zero CVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative CVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative CVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative CVE-2017-2547: lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro's Zero Day Initiative CVE-2017-6980: lokihardt of Google Project Zero CVE-2017-6984: lokihardt of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management. CVE-2017-2504: lokihardt of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management. CVE-2017-2508: lokihardt of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management. CVE-2017-2510: lokihardt of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management. CVE-2017-2528: lokihardt of Google Project Zero WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues with addressed through improved memory handling. CVE-2017-2536: Samuel Groß and Niklas Baumstark working with Trend Micro's Zero Day Initiative WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in frame loading. This issue was addressed with improved state management. CVE-2017-2549: lokihardt of Google Project Zero WebKit Web Inspector Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.5 Impact: An application may be able to execute unsigned code Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-2499: George Dan (@theninjaprawn) Installation note: Safari 10.1.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================