8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
This document describes the security content of Safari 10.1.2.
For our customersโ protection, Apple doesnโt disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
Released July 19, 2017
Safari Printing
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to an infinite number of print dialogs
Description: An issue existed where a malicious or compromised website could show infinite print dialogs and make users believe their browser was locked. The issue was addressed through throttling of print dialogs.
CVE-2017-7060: Travis Kelley of City of Mishawaka, Indiana
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: A malicious website may exfiltrate data cross-origin
Description: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.
CVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue was addressed with improved frame handling.
CVE-2017-7011: xisigr of Tencentโs Xuanwu Lab (tencent.com)
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (่่้ๆๅทดๆฏๅ ๅนดๅฎๅ จๅฎ้ชๅฎค)
CVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (่่้ๆๅทดๆฏๅ ๅนดๅฎๅ จๅฎ้ชๅฎค)
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7040: Ivan Fratric of Google Project Zero
CVE-2017-7041: Ivan Fratric of Google Project Zero
CVE-2017-7042: Ivan Fratric of Google Project Zero
CVE-2017-7043: Ivan Fratric of Google Project Zero
CVE-2017-7046: Ivan Fratric of Google Project Zero
CVE-2017-7048: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Microโs Zero Day Initiative
CVE-2017-7055: The UKโs National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
CVE-2017-7061: lokihardt of Google Project Zero
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting
Description: A logic issue existed in the handling of DOMParser. This issue was addressed with improved state management.
CVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd
CVE-2017-7059: Masato Kinugawa and Mario Heiderich of Cure53
Entry updated July 28, 2017
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-7049: Ivan Fratric of Google Project Zero
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed through improved memory handling.
CVE-2017-7064: lokihardt of Google Project Zero
WebKit Page Loading
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department
WebKit Web Inspector
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7012: Apple
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date: July 29, 2017
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C