==================================================================== CERT-Renater Note d'Information No. 2017/VULN277 _____________________________________________________________________ DATE : 26/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running iTunes versions prior to 12.7. ===================================================================== https://lists.apple.com/archives/security-announce/2017/Sep/msg00011.html https://lists.apple.com/archives/security-announce/2017/Sep/msg00012.html ____________________________________________________________________ APPLE-SA-2017-09-25-7 iTunes 12.7 iTunes 12.7 addresses the following: Data Sync Available for: OS X Yosemite 10.10.5 and later Impact: An application may be able to access iOS backups performed through iTunes Description: An access control issue was addressed by restricting access to iOS backups to iTunes. CVE-2017-7079: Pi Delta Entry added September 25, 2017 Installation note: iTunes 12.7 may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ____________________________________________________________________ APPLE-SA-2017-09-25-8 iTunes 12.7 for Windows iTunes 12.7 for Windows addresses the following: WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-7081: Apple Entry added September 25, 2017 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7087: Apple CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Micro’s Zero Day Initiative CVE-2017-7092: Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team, Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Micro’s Zero Day Initiative CVE-2017-7096: Wei Yuan of Baidu Security Lab CVE-2017-7098: Felipe Freitas of Instituto Tecnológico de Aeronáutica CVE-2017-7099: Apple CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53 CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7104: likemeng of Baidu Secutity Lab CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative CVE-2017-7117: lokihardt of Google Project Zero CVE-2017-7120: chenqin (陈钦) of Ant-financial Light-Year Security Lab Entry added September 25, 2017 WebKit Available for: Windows 7 and later Impact: Cookies belonging to one origin may be sent to another origin Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. CVE-2017-7090: Apple Entry added September 25, 2017 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: Application Cache policy may be unexpectedly applied. CVE-2017-7109: avlidienbrunn Entry added September 25, 2017 Installation note: iTunes 12.7 for Windows may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================