Multiple vulnerabilities in Apple macOS

Published: 2017-11-01 14:45:02 | Updated: 2017-11-01 14:45:48
Severity High
Patch available YES
Number of vulnerabilities 36
CVSSv2 3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
2.7 (AV:L/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
6.9 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
1.6 (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
5.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
1.6 (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
6.9 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
4.7 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
5.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
6.9 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
5.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
3.7 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
2.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
2.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
5.2 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-13782
CVE-2017-13786
CVE-2017-13800
CVE-2017-13801
CVE-2017-13807
CVE-2017-13808
CVE-2017-13809
CVE-2017-13810
CVE-2017-13811
CVE-2017-13812
CVE-2017-13813
CVE-2017-13814
CVE-2017-13815
CVE-2017-13816
CVE-2017-13817
CVE-2017-13818
CVE-2017-13819
CVE-2017-13820
CVE-2017-13821
CVE-2017-13822
CVE-2017-13823
CVE-2017-13824
CVE-2017-13825
CVE-2017-13828
CVE-2017-13830
CVE-2017-13831
CVE-2017-13832
CVE-2017-13834
CVE-2017-13836
CVE-2017-13838
CVE-2017-13840
CVE-2017-13841
CVE-2017-13842
CVE-2017-13843
CVE-2017-13846
CVE-2017-7132
CWE ID CWE-20
CWE-284
CWE-119
CWE-264
CWE-120
CWE-125
CWE-79
CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software macOS Sierra
Vulnerable software versions macOS Sierra 10.12.6
macOS Sierra 10.12.5
macOS Sierra 10.12.4
Vendor URL Apple Inc.
Advisory type Public

Security Advisory

1) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the kernel component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

2) Improper access control

Description

The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to a DMA access control flaw in the APFS component. A local attacker with a connected Thunderbolt adapter can recover unencrypted APFS filesystem data.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

3) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the APFS component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

4) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the Dictionary Widget component. A remote user can supply a specially crafted input to access arbitrary files.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

5) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the Audio component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

6) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the Remote Management component. A remote attacker can execute arbitrary code with system privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

7) Improper input validation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a input validation flaw in the AppleScript component. A remote attacker can create specially crafted AppleScript that, trick the victim into decompiling it with osadecompile and execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

8) Information disclosure

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a permissions error in packet counters in the kernel component. A local attacker can gain access to arbitrary data.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

9) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the fsck_msdos component. A remote attacker can execute arbitrary code with system privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

10) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the libarchive component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

11) Buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a buffer overflow in the libarchive component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

12) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the ImageIO component. A remote attacker can execute arbitrary code with system privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

13) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to multiple issues in file. A remote attacker can gain access to the system.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

14) Buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a buffer overflow in the libarchive component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

15) Out-of-bounds read

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an out-of-bounds read error in the the kernel component. A local attacker can gain access to arbitrary data.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

16) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the kernel component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

17) Cross-site scripting

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the HelpViewer component due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

18) Memory corruption

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a memory corruption error in the ATS component. A remote user can trick the victim into processing a specially crafted font and gain access to arbitrary data.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

19) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the CFString component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

20) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the Quick Look component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

21) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the  QuickTime component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

22) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the Open Scripting Architecture component. A remote attacker can create specially crafted AppleScript that, trick the victim into decompiling it with osadecompile and execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

23) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the CoreText component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

24) Spoofing attack

Description

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists due to a font rendering flaw in the Fonts component. A remote user can spoof user interface elements and access arbitrary data.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

25) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the HFS component. A remote attacker can execute arbitrary code with system privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

26) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a memory management error in the ImageIO component. A remote attacker can trick the victim into loading a specially crafted image, trigger memory corruption and cause the application to crash.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

27) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the TLS 1.0 protocol in the 802.1X component. A remote attacker can bypass security restrictions.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

28) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the kernel component. A remote attacker can trick the victim into loading a specially crafted mach binary and execute arbitrary code with kernel privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

29) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the kernel component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

30) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the Sandbox component. A remote attacker can execute arbitrary code with system privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

31) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the kernel component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

32) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the kernel component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

33) Improper input validation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an input validation flaw in the the kernel component. A remote user can supply a specially crafted input to read restricted memory.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

34) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the kernel component. A remote attacker can execute arbitrary code with kernel privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

35) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to multiple issues in pcre. A remote attacker can gain access to the system.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

36) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a memory corruption error in the Quick Look component. A remote attacker can execute arbitrary code with elevated privileges.

Remediation

Update to version 10.13.1.

External links

https://support.apple.com/en-us/HT208221

Back to List