For our customersβ protection, Apple doesnβt disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
Released December 6, 2017
WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13885: 360 Security working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-7165: 360 Security working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13884: 360 Security working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Visiting a malicious website may lead to user interface spoofing
Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.
CVE-2017-7153: Jerry Decime
Entry added January 11, 2018
WebKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Microβs Zero Day Initiative
CVE-2017-7160: Richard Zhu (fluorescence) working with Trend Microβs Zero Day Initiative
CVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Microβs Zero Day Initiative
Entry updated January 10, 2018
WebKit Web Inspector
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A command injection issue existed in Web Inspector. This issue was addressed through improved escaping of special characters.
CVE-2017-7161: Mitin Svyat
Entry added January 10, 2018
WebKit
We would like to acknowledge YiΔit Can YILMAZ (@yilmazcanyigit) and Abhinash Jain (@abhinashjain) researcher for their assistance.
Entry added February 14, 2018, updated April 9, 2018