This document describes the security content of iCloud for Windows 7.2.
For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
Released December 13, 2017
APNs Server
Available for: Windows 7 and later
Impact: An attacker in a privileged network position could track a user
Description: A privacy issue existed in the use of client certificates. This issue was addressed through a revised protocol.
CVE-2017-13864: FURIOUSMAC Team of United States Naval Academy
Entry updated December 21, 2017
CFNetwork Session
Available for: Windows 7 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13885: 360 Security working with Trend Micro’s Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-7165: 360 Security working with Trend Micro’s Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13884: 360 Security working with Trend Micro’s Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Visiting a malicious website may lead to user interface spoofing
Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.
CVE-2017-7153: Jerry Decime
Entry added January 11, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro’s Zero Day Initiative
CVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro’s Zero Day Initiative
CVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative
Entry updated January 10, 2018
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date: January 25, 2018