For our customersβ protection, Apple doesnβt disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
Released December 6, 2017
APNs Server
Available for: Windows 7 and later
Impact: An attacker in a privileged network position could track a user
Description: A privacy issue existed in the use of client certificates. This issue was addressed through a revised protocol.
CVE-2017-13864: FURIOUSMAC Team of United States Naval Academy
Entry updated December 21, 2017
CFNetwork Session
Available for: Windows 7 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7172: Richard Zhu (fluorescence) working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
CoreFoundation
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2017-7151: Samuel GroΓ (@5aelo)
Entry added October 18, 2018
ICU
Available for: Windows 7 and later
Impact: An application may be able to read restricted memory
Description: An integer overflow was addressed through improved input validation.
CVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab
Entry added March 14, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13885: 360 Security working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-7165: 360 Security working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-13884: 360 Security working with Trend Microβs Zero Day Initiative
Entry added January 22, 2018
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Microβs Zero Day Initiative
CVE-2017-7160: Richard Zhu (fluorescence) working with Trend Microβs Zero Day Initiative
CVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Microβs Zero Day Initiative
Entry updated January 10, 2018
WebKit
Available for: Windows 7 and later
Impact: Visiting a malicious website may lead to user interface spoofing
Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.
CVE-2017-7153: Jerry Decime
Entry added January 11, 2018