240 replies to this topic

[AplusWebMaster]

FYI...

- https://support.appl.../en-us/HT201222

iOS 10.3.1
- https://support.appl.../en-us/HT207688
Apr 3, 2017 - "Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later...
Wi-Fi: Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A stack buffer overflow was addressed through improved input validation.
CVE-2017-6975 ..."
___

- http://www.securityt....com/id/1038172
CVE Reference: https://nvd.nist.gov...l/CVE-2017-6975
Apr 4 2017
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user within WiFi range can execute arbitrary code on the target system.
Solution: The vendor has issued a fix (10.3.1)...
___

- https://www.us-cert....rity-Update-iOS
April 03, 2017
 

Edited by AplusWebMaster, 07 April 2017 - 09:11 AM.

[AplusWebMaster]

FYI...

> https://support.appl.../en-us/HT201222

iOS 10.3.2 released
- https://support.appl.../en-us/HT207798
May 15, 2017 - "Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation..."
- http://www.securityt....com/id/1038485
CVE Reference: CVE-2017-2498, CVE-2017-6982, CVE-2017-6989
May 15 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.3.2 ...
Impact: An application can cause denial of service conditions on the target system.
An application can obtain elevated privileges on the target system.
A user can bypass certificate validation on the target system.
Solution: The vendor has issued a fix (10.3.2)...
___

Safari 10.1.1
- https://support.appl.../en-us/HT207804
May 15, 2017 - "Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5..."
- http://www.securityt....com/id/1038487
CVE Reference: CVE-2017-2495, CVE-2017-2496, CVE-2017-2499, CVE-2017-2500, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506, CVE-2017-2508, CVE-2017-2510, CVE-2017-2511, CVE-2017-2514, CVE-2017-2515, CVE-2017-2521, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2538, CVE-2017-2539, CVE-2017-2544, CVE-2017-2547, CVE-2017-2549, CVE-2017-6980, CVE-2017-6984
May 16 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.1.1 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A local user can bypass code signing policy on the target system.
A remote user can spoof a URL.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (10.1.1)...
___

macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite
- https://support.appl.../en-us/HT207797
May 15, 2017
- http://www.securityt....com/id/1038484
CVE Reference: CVE-2017-2494, CVE-2017-2497, CVE-2017-2501, CVE-2017-2502, CVE-2017-2503, CVE-2017-2507, CVE-2017-2509, CVE-2017-2512, CVE-2017-2513, CVE-2017-2516, CVE-2017-2518, CVE-2017-2519, CVE-2017-2520, CVE-2017-2524, CVE-2017-2527, CVE-2017-2533, CVE-2017-2534, CVE-2017-2535, CVE-2017-2537, CVE-2017-2540, CVE-2017-2541, CVE-2017-2542, CVE-2017-2543, CVE-2017-2545, CVE-2017-2546, CVE-2017-2548, CVE-2017-6977, CVE-2017-6978, CVE-2017-6979, CVE-2017-6981, CVE-2017-6983, CVE-2017-6985, CVE-2017-6986, CVE-2017-6987, CVE-2017-6988, CVE-2017-6990, CVE-2017-6991
May 15 2017
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.12.5...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
An application can obtain potentially sensitive information from system memory on the target system.
An application can obtain elevated privileges on the target system.
A remote user on a local network can obtain 802.1X authentication credentials.
Solution: The vendor has issued a fix (10.12.5)...
___

iCloud for Windows 6.2.1
- https://support.appl.../en-us/HT207803
May 15, 2017
___

iTunes 12.6.1 for Windows
- https://support.appl.../en-us/HT207805
May 15, 2017
___

tvOS 10.2.1
- https://support.appl.../en-us/HT207801
May 15, 2017
___

watchOS 3.2.2
- https://support.appl.../en-us/HT207800
May 15, 2017
___

- https://www.us-cert....ecurity-Updates
May 15, 2017
 

Edited by AplusWebMaster, 16 May 2017 - 04:22 AM.

[AplusWebMaster]

FYI...

Apple security updates
- https://support.appl.../en-us/HT201222
July 19, 2017

iOS 10.3.3
- https://support.appl.../en-us/HT207923
July 19, 2017 - "Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation.."
- http://www.securityt....com/id/1038950
CVE Reference: CVE-2017-2517, CVE-2017-7006, CVE-2017-7007, CVE-2017-7008, CVE-2017-7009, CVE-2017-7010, CVE-2017-7011, CVE-2017-7012, CVE-2017-7013, CVE-2017-7018, CVE-2017-7019, CVE-2017-7020, CVE-2017-7022, CVE-2017-7023, CVE-2017-7024, CVE-2017-7025, CVE-2017-7026, CVE-2017-7027, CVE-2017-7028, CVE-2017-7029, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7038, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7047, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7058, CVE-2017-7059, CVE-2017-7060, CVE-2017-7061, CVE-2017-7062, CVE-2017-7063, CVE-2017-7064, CVE-2017-7068, CVE-2017-7069, CVE-2017-8248, CVE-2017-9417
Jul 19 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 10.3.3 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A local user can obtain potentially sensitive information on the target system.
A local user can obtain potentially sensitive information from system memory on the target system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can execute arbitrary code on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site's interface, access data recently submitted by the target user via web form to the interface, or take actions on the interface acting as the target user.
Solution: The vendor has issued a fix (10.3.3)...

macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite
- https://support.appl.../en-us/HT207922
July 19, 2017
- http://www.securityt....com/id/1038951
CVE Reference: CVE-2017-7014, CVE-2017-7015, CVE-2017-7016, CVE-2017-7017, CVE-2017-7021, CVE-2017-7031, CVE-2017-7032, CVE-2017-7033, CVE-2017-7035, CVE-2017-7036, CVE-2017-7044, CVE-2017-7045, CVE-2017-7050, CVE-2017-7051, CVE-2017-7054, CVE-2017-7067
Jul 19 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.12.5 and prior ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
An application can obtain potentially sensitive information from system memory on the target system.
An application can obtain elevated privileges on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.12.6, Security Update 2017-003 El Capitan, Security Update 2017-003 Yosemite).

Safari 10.1.2
- https://support.appl.../en-us/HT207921
July 19, 2017 - "Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6..."

iTunes 12.6.2 for Windows
- https://support.appl.../en-us/HT207928
July 19, 2017

iCloud for Windows 6.2.2
- https://support.appl.../en-us/HT207927
July 19, 2017

tvOS 10.2.2
- https://support.appl.../en-us/HT207924
July 19, 2017

watchOS 3.2.3
- https://support.appl.../en-us/HT207925
July 19, 2017

Wi-Fi Update for Boot Camp 6.1
- https://support.appl.../en-us/HT207940
Published Date: Jul 21, 2017 - "Available for the following machines while running Boot Camp: MacBook Air (Late 2010 and later), MacBook Pro (Late 2010 and later), Mac mini (Mid 2010 and later), iMac (Mid 2010 and later), MacBook (Mid 2010 and later)..."
___

- https://www.us-cert....ecurity-Updates
July 19, 2017
 

Edited by AplusWebMaster, 23 July 2017 - 10:07 AM.

[AplusWebMaster]

FYI...

> https://support.appl.../en-us/HT201222

iOS 11
- https://support.appl.../en-us/HT208112
Sep 19, 2017 - "Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation..."
- http://www.securityt....com/id/1039385
CVE Reference: CVE-2017-7072, CVE-2017-7085, CVE-2017-7088, CVE-2017-7089, CVE-2017-7097, CVE-2017-7106, CVE-2017-7118, CVE-2017-7133
Sep 19 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.0 ...
Impact: A remote user can cause denial of service conditions.
A remote user can spoof the address bar.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (11.0)...

> https://support.appl.../en-us/HT204204
___

Safari 11
- https://support.appl.../en-us/HT208116
Sep 19, 2017 - "Available for: OS X El Capitan 10.11.6 and macOS Sierra 10.12.6..."
- http://www.securityt....com/id/1039384
CVE Reference: CVE-2017-7085, CVE-2017-7089, CVE-2017-7106
Sep 19 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.0 ...
Impact: A remote user can spoof the address bar.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (11.0)...
___

Xcode 9
- https://support.appl.../en-us/HT208103
Sep 19, 2017 - "Available for: macOS Sierra 10.12.6 or later..."
- http://www.securityt....com/id/1039386
CVE Reference: CVE-2017-7076, CVE-2017-7134, CVE-2017-7135, CVE-2017-7136, CVE-2017-7137
Sep 19 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 9.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (9.0)...
___

- https://www.us-cert....ecurity-Updates
Sep 19, 2017
 

Edited by AplusWebMaster, 20 September 2017 - 03:46 AM.

[AplusWebMaster]

FYI...

> https://support.appl.../en-us/HT201222

iCloud for Windows 7.0
- https://support.appl.../en-us/HT208142
Sep 25, 2017 - "Available for: Windows 7 and later..."
___

macOS High Sierra 10.13
- https://support.appl.../en-us/HT208144
Sep 25, 2017 - "Available for: OS X Lion 10.8 and later..."
- http://www.securityt....com/id/1039427
CVE Reference: CVE-2016-9042, CVE-2016-9063, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-0381, CVE-2017-1000373, CVE-2017-10989, CVE-2017-11103, CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-7074, CVE-2017-7077, CVE-2017-7078, CVE-2017-7080, CVE-2017-7082, CVE-2017-7083, CVE-2017-7084, CVE-2017-7086, CVE-2017-7114, CVE-2017-7119, CVE-2017-7127, CVE-2017-7128, CVE-2017-7129, CVE-2017-7130, CVE-2017-7138, CVE-2017-7141, CVE-2017-7143, CVE-2017-7144, CVE-2017-9233
Sep 25 2017
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Version(s): prior to 10.13 ...
Impact: A remote or local user can cause denial of service conditions on the target system.
A local user can obtain elevated privileges on the target system.
A local user can obtain potentially sensitive information on the target system.
A remote or local user can bypass security controls on the target system.
An application can execute arbitrary code with elevated privileges.
Solution: The vendor has issued a fix (10.13)...
___

macOS Server 5.4
- https://support.appl.../en-us/HT208102
Sep 25, 2017 - "Available for: macOS High Sierra 10.13..."
___

iTunes 12.7 for Windows
- https://support.appl.../en-us/HT208141
Sep 12, 2017 ? - "Available for: Windows 7 and later..."
- http://www.securityt....com/id/1039428
CVE Reference: CVE-2017-7081, CVE-2017-7087, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120
Sep 25 2017
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass same-origin restrictions on the target system.
A remote user can conduct cross-site scripting attacks.
Solution: The vendor has issued a fix (12.7)...
___

iTunes 12.7
- https://support.appl.../en-us/HT208140
Sep 12, 2017 ? - "Available for: OS X Yosemite 10.10.5 and later..."
___

- https://www.us-cert....ecurity-Updates
Sep 25, 2017
 

Edited by AplusWebMaster, 26 September 2017 - 05:23 AM.

[AplusWebMaster]

FYI...

> https://support.appl.../en-us/HT201222

iOS 11.0.1
> https://support.appl.../en-us/HT208143
Sep 26, 2017 - "iOS 11.0.1 includes the security content of iOS 11."

> https://support.appl.../en-us/HT204204
___

Apple releases iOS 11.0.1 software update for iPhone and iPad
> https://9to5mac.com/.../26/ios-11-0-1/
Sep 26, 2017 - "Apple has released the first software update to iOS 11 with iOS 11.0.1 for iPhone and iPad. The build comes in at 15A402 (or 15A403), up from 15A372 for iOS 11.0. As a bug fix and performance improvements update, we don’t expect any feature changes in this release. These updates typically make everything run smoother and potentially help with battery life* and any lingering bugs..."
* https://9to5mac.com/...-life-problems/

>> http://osxdaily.com/...ad-iphone-ipad/
Sep 26, 2017 - "... It’s unclear if the iOS 11.0.1 software update will address any reported iOS 11 battery life problems, problems with Outlook and Microsoft email, or other issues encountered with the recent iOS 11 release, but the update is recommended to install for everyone on iOS 11, whether or not they are experiencing software issues since updating their iPhone or iPad..."

> https://support.appl.../en-us/HT208136
Sep 26, 2017 - "You might not be able to send email with an Outlook.com, Office 365, or Exchange account until you update to iOS 11.0.1. If your email account is hosted by Microsoft on Outlook.com or Office 365, or an Exchange Server 2016 running on Windows Server 2016, you might see this error message when you try to send an email with iOS 11: "Cannot Send Mail. The message was rejected by the server." To fix the issue, update to iOS 11.0.1 or later."

> https://www.wandera....-battery-drain/
Sep 21, 2017 - "... Some iPhone and iPad users are reporting installation problems, slow speed, issues with Bluetooth and Wi-Fi and one that caught our eye specifically – faster battery drain..."
>> https://www.wandera....mp-1200x624.png

> https://ios.gadgetha...ios-11-0177756/
Sep 20, 2017 - "... Check Battery Usage: The first step in treating your battery problem is to see where the problem may be stemming, so head to Settings –> Battery. You should be able to see what apps have been draining your iPhone's battery life over the last 24 hours, as well as another period of time (usually seven days). If you tap on any of the apps in the list, or if you tap the clock icon in the top-right corner next to the time tabs, you will see how much time each app has been used on the screen, as well has how much time the app has spent working in the background..."
___

- https://www.us-cert....rity-Update-iOS
Sep 26, 2017

//

Edited by AplusWebMaster, 26 September 2017 - 03:01 PM.

[AplusWebMaster]

FYI...

> https://support.appl.../en-us/HT201222

iOS 11.0.2
- https://support.appl.../en-us/HT208164
Oct 3, 2017 - "iOS 11.0.2 includes the security content of iOS 11."
___

> https://support.appl.../en-us/HT208067
Oct 3, 2017 - "... iOS 11.0.2 includes bug fixes and improvements for your iPhone or iPad. This update:
- Fixes an issue where crackling sounds may occur during calls for a small number of iPhone 8 and 8 Plus devices
- Addresses an issue that could cause some photos to become hidden
- Fixes an issue where attachments in S/MIME encrypted emails would not open..."
(More detail at the URL above.)
___

>> https://9to5mac.com/...and-ipod-touch/
Oct. 3 2017 - "Apple has just released iOS 11.0.2 for iPhone, iPad and iPod touch devices. This marks the second bug-fix-update since iOS 11 launched in September. The build number is 15A421.
It looks to be another round of bug fixes and performance improvements, including a fix for crackly audio during phone calls on iPhone 8, a bug that caused some photos not to show up in user’s libraries and resolves an issue relating to attachments in encrypted email...
Apple says the iOS 11.0.2 brings various ‘bug fixes and improvements for iPhone and iPad’.
The minor update is available now for all iOS 11 devices (including the sixth-generation iPod touch).
To update, open Settings on your iOS device and navigate to General -> Software Update. You will need at least 50% battery to perform the update, or be connected to a power outlet.
We’ll keep an eye out for any other changes and enhancements in this latest version of iOS 11. No word yet on battery drain or adverse effects on performance, but we’ll report back if something does arise..."
___

- https://www.us-cert....rity-Update-iOS
Oct 3, 2017
 

Edited by AplusWebMaster, 03 October 2017 - 03:40 PM.

[AplusWebMaster]

FYI...

- https://support.appl.../en-us/HT201222

macOS High Sierra 10.13 Supplemental Update
- https://support.appl.../en-us/HT208165
Oct 5, 2017 - "Available for: macOS High Sierra 10.13..."
CVE-2017-7149, CVE-2017-7150
- http://www.securityt....com/id/1039513
CVE Reference: CVE-2017-7149
Oct 5 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.13 ...
Impact: A local user can obtain the password for an encrypted APFS volumen on the target system in certain cases.
Solution: The vendor has issued a fix...

> https://support.appl.../en-us/HT208168
Oct 6, 2017
___

- https://www.us-cert....cOS-High-Sierra
Oct 05, 2017
 

Edited by AplusWebMaster, 09 October 2017 - 09:21 AM.

[AplusWebMaster]

FYI...

> https://support.appl.../en-us/HT201222

iOS 11.1
- https://support.appl.../en-us/HT208222
Oct 31, 2017 - "Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation..."

- https://www.security....com/id/1039703
CVE Reference: CVE-2017-13080, CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13799, CVE-2017-13802, CVE-2017-13803, CVE-2017-13804, CVE-2017-13805, CVE-2017-13844, CVE-2017-13849, CVE-2017-7113
Oct 31 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.1 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify data on the target system.
A remote user can cause the target service to crash.
A local user can obtain potentially sensitive information on the target system.
An application can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (11.1)...
___

Safari 11.1
- https://support.appl.../en-us/HT208223
Oct 31, 2017 - "Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13..."

- https://www.security....com/id/1039706
CVE Reference: CVE-2017-13789, CVE-2017-13790
Oct 31 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 11.1 ...
Impact: A remote user can spoof a URL in the address bar.
Solution: The vendor has issued a fix (11.1)...
___

macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
- https://support.appl.../en-us/HT208221
Oct 31, 2017 - "Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6..."

- https://www.security....com/id/1039710
CVE Reference: CVE-2017-13782, CVE-2017-13786, CVE-2017-13800, CVE-2017-13801, CVE-2017-13807, CVE-2017-13808, CVE-2017-13809, CVE-2017-13810, CVE-2017-13811, CVE-2017-13812, CVE-2017-13813, CVE-2017-13814, CVE-2017-13815, CVE-2017-13816, CVE-2017-13817, CVE-2017-13818, CVE-2017-13819, CVE-2017-13820, CVE-2017-13821, CVE-2017-13822, CVE-2017-13823, CVE-2017-13824, CVE-2017-13825, CVE-2017-13828, CVE-2017-13830, CVE-2017-13831, CVE-2017-13832, CVE-2017-13834, CVE-2017-13836, CVE-2017-13838, CVE-2017-13840, CVE-2017-13841, CVE-2017-13842, CVE-2017-13843, CVE-2017-13846, CVE-2017-7132
Nov 1 2017
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A local user can obtain potentially sensitive information on the target system.
A local user can obtain potentially sensitive information from system memory on the target system.
An application can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix...
___

iCloud for Windows 7.1
- https://support.appl.../en-us/HT208225
Oct 31, 2017 - "Available for: Windows 7 and later..."
___

iTunes 12.7.1 for Windows
- https://support.appl.../en-us/HT208224
Oct 31, 2017 - "Available for: Windows 7 and later..."
___

tvOS 11.1
- https://support.appl.../en-us/HT208219
Oct 31, 2017 - "Available for: Apple TV 4K and Apple TV (4th generation)..."
___

watchOS 4.1
- https://support.appl.../en-us/HT208220
Oct 31, 2017 - "Available for: All Apple Watch models..."
___

- https://www.us-cert....ecurity-Updates
Oct 31, 2017
 

Edited by AplusWebMaster, 01 November 2017 - 05:08 AM.

[AplusWebMaster]

FYI...

Security Update 2017-001 - macOS High Sierra 10.13.1
- https://support.appl.../en-us/HT208315
Nov 29, 2017 - "Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872: When you install Security Update 2017-001* on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac**.
* https://support.apple.com/kb/HT201541
** https://support.appl.../en-us/HT201260
If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update***.
*** https://support.appl.../en-us/HT204012
If you experience issues with authenticating or connecting to file shares on your Mac after you install this update, you can repair file sharing[4].
4] https://support.apple.com/kb/HT208317
___

- https://www.security....com/id/1039875
CVE Reference: CVE-2017-13872
Updated: Nov 29 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 10.13 ...
Impact: A local user can obtain root privileges on the target system.
Solution: The vendor has issued a fix...
> https://support.appl.../en-us/HT208315

> https://www.computer...aw-updated.html
Nov 29, 2017
___

> https://www.kb.cert.org/vuls/id/113765
29 Nov 2017

- https://www.us-cert....cOS-High-Sierra
Nov 29, 2017
___

>> https://blog.malware...-the-root-user/
Nov 29, 2017

- https://blog.malware...amroot-bug-fix/
Dec 4, 2017
 

Edited by AplusWebMaster, 06 December 2017 - 09:18 AM.

[AplusWebMaster]

FYI...

iOS 11.2 released
- https://www.theverge...eatures-release
Dec 2, 2017 - "Apple is taking the highly unusual step of releasing a significant iOS update today, just hours after an iOS 11 bug started crashing iPhones. A bug in iOS 11.1.2 started causing iPhones to crash if third-party apps use recurring notifications for things like reminders. Apple is releasing iOS 11.2 today, which addresses the issue and includes a number of new features. Apple usually releases iOS updates on a Tuesday, so this appears to have been issued early to fix the crash bug..."

> https://www.theverge...cember-2nd-2017
Dec 2, 2017
___

> https://support.appl.../en-us/HT201222

iOS 11.2 (details available soon) - iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

> https://support.appl.../en-us/HT204204
 

[AplusWebMaster]

FYI...

- https://support.appl.../en-us/HT201222

iOS 11.2
- https://support.appl.../en-us/HT208334
Released Dec 2, 2017
IOKit: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to execute arbitrary code with system privileges
 Description: Multiple memory corruption issues were addressed through improved state management.
 CVE-2017-13847: Ian Beer of Google Project Zero
IOMobileFrameBuffer: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to execute arbitrary code with kernel privilege
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13879: Apple
IOSurface: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13861: Ian Beer of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13862: Apple
 CVE-2017-13876: Ian Beer of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to read restricted memory
 Description: An out-of-bounds read was addressed with improved bounds checking.
 CVE-2017-13833: Brandon Azad
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to read restricted memory
 Description: A type confusion issue was addressed with improved memory handling.
 CVE-2017-13855: Jann Horn of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: A malicious application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13867: Ian Beer of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An application may be able to read restricted memory
 Description: Multiple validation issues were addressed with improved input sanitization.
 CVE-2017-13865: Ian Beer of Google Project Zero
 CVE-2017-13868: Brandon Azad
 CVE-2017-13869: Jann Horn of Google Project Zero
Mail: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: Incorrect certificate is used for encryption
 Description: A S/MIME issue existed in the handling of encrypted email. This issue was addressed through  improved selection of the encryption certificate.
 CVE-2017-13874: an anonymous researcher
Mail Drafts: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
 Impact: An attacker with a privileged network position may be able to intercept mail
 Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks  and user control.
 CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH
Wi-Fi: Available for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad  Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod   touch 6th generation
 Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1.
 Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation  Attacks - KRACK)
 Description: A logic issue existed in the handling of state transitions. This was addressed with improved state  management.
 CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
Published Date: Dec 6, 2017
___

macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
- https://support.appl.../en-us/HT208331
Released Dec 6, 2017
apache: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process  memory
 Description: Multiple issues were addressed by updating to version 2.4.28.
 CVE-2017-9798
curl: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory
 Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with  improved bounds checking.
 CVE-2017-1000254: Max Dymond
Directory Utility: Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
 Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s  password
 Description: A logic error existed in the validation of credentials. This was addressed with improved credential  validation.
 CVE-2017-13872
Intel Graphics Driver: Available for: macOS High Sierra 10.13.1
 Impact: An application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13883: an anonymous researcher
Intel Graphics Driver: Available for: macOS High Sierra 10.13.1
 Impact: A local user may be able to cause unexpected system termination or read kernel memory
 Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed  through improved input validation.
 CVE-2017-13878: Ian Beer of Google Project Zero
Intel Graphics Driver: Available for: macOS High Sierra 10.13.1
 Impact: An application may be able to execute arbitrary code with system privileges
 Description: An out-of-bounds read was addressed through improved bounds checking.
 CVE-2017-13875: Ian Beer of Google Project Zero
IOAcceleratorFamily: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to execute arbitrary code with system privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13844: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)
IOKit: Available for: macOS High Sierra 10.13.1
 Impact: An application may be able to execute arbitrary code with system privileges
 Description: An input validation issue existed in the kernel. This issue was addressed through improved input  validation.
 CVE-2017-13848: Alex Plaskett of MWR InfoSecurity
 CVE-2017-13858: an anonymous researcher
IOKit: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to execute arbitrary code with system privileges
 Description: Multiple memory corruption issues were addressed through improved state management.
 CVE-2017-13847: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13862: Apple
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to read restricted memory
 Description: An out-of-bounds read was addressed with improved bounds checking.
 CVE-2017-13833: Brandon Azad
Kernel: Available for: macOS High Sierra 10.13.1
 Impact: An application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13876: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to read restricted memory
 Description: A type confusion issue was addressed with improved memory handling.
 CVE-2017-13855: Jann Horn of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: A malicious application may be able to execute arbitrary code with kernel privileges
 Description: A memory corruption issue was addressed with improved memory handling.
 CVE-2017-13867: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1
 Impact: An application may be able to read restricted memory
 Description: A validation issue was addressed with improved input sanitization.
 CVE-2017-13865: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to read restricted memory
 Description: A validation issue was addressed with improved input sanitization.
 CVE-2017-13868: Brandon Azad
 CVE-2017-13869: Jann Horn of Google Project Zero
Mail: Available for: macOS High Sierra 10.13.1
 Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is  not installed
 Description: An inconsistent user interface issue was addressed with improved state management.
 CVE-2017-13871: an anonymous researcher
Mail Drafts: Available for: macOS High Sierra 10.13.1
 Impact: An attacker with a privileged network position may be able to intercept mail
 Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks  and user control.
 CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH
OpenSSL: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
 Impact: An application may be able to read restricted memory
 Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with  improved bounds checking.
 CVE-2017-3735: found by OSS-Fuzz
Screen Sharing Server: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6
 Impact: A user with screen sharing access may be able to access any file readable by root
 Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed  with improved permissions handling.
 CVE-2017-13826: Trevor Jacques of Toronto
___

tvOS 11.2
- https://support.appl.../en-us/HT208327
Released Dec 4, 2017 - "Available for: Apple TV 4K and Apple TV (4th generation)..."
Published Date: Dec 6, 2017
___

watchOS 4.2
- https://support.appl.../en-us/HT208325
Released Dec 5, 2017 - "Available for: All Apple Watch models..."
Published Date: Dec 6, 2017
___

Safari 11.0.2 - (details available soon)
OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13
6 Dec 2017
___

iTunes 12.7.2 for Windows -  (details available soon)
Windows 7 and later
6 Dec 2017
___

- https://www.us-cert....ecurity-Updates
Dec 06, 2017
 

Edited by AplusWebMaster, 07 December 2017 - 05:23 AM.

[AplusWebMaster]

FYI...

- https://support.appl.../en-us/HT201222

iCloud for Windows 7.2
- https://support.appl.../en-us/HT208328
Dec 13, 2017
APNs Server: Available for: Windows 7 and later
Impact: An attacker in a privileged network position can track a user
Description: A privacy issue existed in the use of client certificates. This issue was addressed through a revised protocol.
CVE-2017-13864: FURIOUSMAC Team of United States Naval Academy
WebKit: Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7156: an anonymous researcher
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: an anonymous researcher
CVE-2017-13866: an anonymous researcher
___

iOS 11.2.1
- https://support.appl.../en-us/HT208357
Dec 13, 2017
HomeKit: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A remote attacker may be able to unexpectedly alter application state
Description: A message handling issue was addressed with improved input validation.
CVE-2017-13903

>> https://discussions....08357?filter=qa
Last: December 27, 2017

- https://www.security....com/id/1040008
CVE Reference: CVE-2017-13903
Dec 13 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Description: A vulnerability was reported in Apple iOS. A remote user can access and control HomeKit smart accessories.
On systems with shared HomeKit application users, a remote user can send specially crafted data to trigger a state error in the HomeKit application and gain access to the target user's HomeKit-controlled accessories...
Impact: A remote user can access and control HomeKit smart accessories.
Solution: The vendor has issued a fix (11.2.1)...
___

Safari 11.0.2
- https://support.appl.../en-us/HT208324
WebKit: Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Published Date: Dec 13, 2017

- https://www.security....com/id/1040012
CVE Reference: CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-7157
Dec 13 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Description: Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted web content that, when loaded by the target user, will trigger a memory corruption error in the WebKit component to execute arbitrary code [CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-7157].
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (11.0.2)...
___

tvOS 11.2.1
- https://support.appl.../en-us/HT208359
Dec 13, 2017
HomeKit: Available for: Apple TV 4K and Apple TV (4th generation)
Impact: A remote attacker may be able to unexpectedly alter application state
Description: A message handling issue was addressed with improved input validation.
CVE-2017-13903

- https://www.us-cert....es-iOS-and-tvOS
Dec 13, 2017
___

AirPort Base Station Firmware Update 7.6.9
- https://support.appl.../en-us/HT208258
Dec 12, 2017
AirPort Base Station Firmware: Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
AirPort Base Station Firmware: Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
___

AirPort Base Station Firmware Update 7.7.9
- https://support.appl.../en-us/HT208354
Dec 12, 2017
AirPort Base Station Firmware: Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
AirPort Base Station Firmware: Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
AirPort Base Station Firmware: Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
___

- https://www.us-cert....ecurity-Updates
Dec 12, 2017
 

Edited by AplusWebMaster, 28 December 2017 - 03:05 PM.

[AplusWebMaster]

FYI...

Apple - About speculative execution vulnerabilities in ARM-based and Intel CPUs
- https://support.appl.../en-us/HT208394
Jan 4, 2018 - "Background: The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software. The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
> Meltdown: Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or "rogue data cache load." The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited.
Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
> Spectre: Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or "bounds check bypass," and CVE-2017-5715 or "branch target injection." These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS."
___

- https://www.kb.cert.org/vuls/id/584653
Last revised: 05 Jan 2018

- https://www.us-cert....lerts/TA18-004A
Last revised: Jan 05, 2018

- https://www.helpnets...rowser-attacks/
Jan 5, 2018
 

[AplusWebMaster]

FYI...

- https://support.appl.../en-us/HT201222

iOS 11.2.2
- https://support.appl.../en-us/HT208401
Jan 8, 2018 - "Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715)..."
___

Safari 11.0.2
- https://support.appl.../en-us/HT208403
Jan 8, 2018 - "Available for: OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
Description: Safari 11.0.2 includes security improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715)..."
___

macOS High Sierra 10.13.2 Supplemental Update
- https://support.appl.../en-us/HT208397
Jan 8, 2018 - "Available for: macOS High Sierra 10.13.2
Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715)...
Installing macOS High Sierra 10.13.2 Supplemental Update will update Safari to version 11.0.2 (13604.4.7.1.6) or version 11.0.2 (13604.4.7.10.6).
To check the version of Safari installed on your Mac:
1. Open Safari.
2. Choose Safari > About Safari."
___

- https://www.us-cert....ecurity-Updates
Jan 08, 2018
 

Edited by AplusWebMaster, 09 January 2018 - 05:51 AM.