How to use JavaScript array extensions integer overflow vulnerabilities in WebKit-a vulnerability warning-the black bar safety net
2017-06-07T00:00:00
ID MYHACK58:62201786811 Type myhack58 Reporter 佚名 Modified 2017-06-07T00:00:00
Description
I will be in this article to tell you about the vulnerability, CVE-2017-2536/ZDI-17-358, which is a typical plastic overflow vulnerability, when the system is in the calculation of the allocated space size, the vulnerability will likely lead to a heap buffer overflow. We not only give you a“snappy”vulnerability PoC, and we also design for Safari 10.1 full use of loopholes in the programme, so everything will be very interesting!
Note: This function was originally in order to allow JavaScriptCore to better deal with the ECMAScript 6 extended operation and design, but saelo in February of this year found in which the presence of security issues.
Vulnerability analysis
Below is the JavaScript in an array of extended operation when build a new array of the use to the code:
SLOW_PATH_DECL(slow_path_new_array_with_spread)
{
BEGIN();
int numItems = pc[3]. u. operand;
ASSERT(numItems >= 0);
const BitVector& bitVector = exec->codeBlock()->unlinkedCodeBlock()->bitVector(pc[4]. u. unsignedValue);
Whether the values = bitwise_cast<Whether the>(&OP(2));
// [[ 1 ]]
unsigned arraySize = 0;
for (int i = 0; i < numItems; i++) {
if (bitVector. get(i)) {
Whether the value = values [--i];
JSFixedArray array = jsCast<JSFixedArray>(value);
arraySize += array->size();
} else
arraySize += 1;
}
JSGlobalObject globalObject = exec->lexicalGlobalObject();
Structure structure = globalObject->arrayStructureForIndexingTypeDuringallocation(ArrayWithContiguous);
JSArray result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
CHECK_EXCEPTION();
// [[ 2 ]]
unsigned index = 0;
for (int i = 0; i < numItems; i++) {
Whether the value = values [--i];
if (bitVector. get(i)) {
// We are spreading.
JSFixedArray array = jsCast<JSFixedArray*>(value);
for (unsigned i = 0; i < array->size(); i++) {
RELEASE_ASSERT(array->get(i));
result->initializeIndex(vm, index, array->get(i));
++index;
}
} else {
// We are not spreading.
result->initializeIndex(vm, index, value);
++index;
}
}
RETURN(result);
}
Please see the above code labeled[[1]]part, the function first computes an output array of length size, the program will later in[[2]]for space allocation and initialization. However, in this case the calculated array length of space is likely to occur the overflow, and causing a similar array is allocated.
Because JSObject::initializeIndex does not perform any boundary detection, in order to confirm this, Please first have a look below this paragraph of code:
/ ... /
case ALL_CONTIGUOUS_INDEXING_TYPES: {
ASSERT(i < a butterfly->publicLength());
ASSERT(i < a butterfly->vectorLength());
butterfly->contiguous()[i]. set(vm, this, v);
break;
}
/ ... /
If the data occurs cross-border, so this time there will be a heap buffer overflow problem. This vulnerability can be through the following script code to trigger:
var a = new Array(0x7fffffff);
var x = [13, 37, ...a, ...a];
In this case, a length of 0 the JSArray object will be created, and then to the JSArray object in the copy of the 2^32 elements in, our browser don't want to see such things happen.
Of course, you want to solve this problem also is not difficult. We only need to add one for the plastic overflow detection function of the time can fix this problem. 【Bug fix plan
Exploit
Although the above given PoC code will many times use an array, but the JavaScriptCore will still be in every time the array expansion operation is assigned a JSFixedArray objects, see the labels[[2]]The following code. As a result, the system will allocate about forty billion a JSValues object, these JSValues object will occupy approximately 32GiB of RAM space. But fortunately, due to the macOS kernel introduced page compression function, so this problem does not on macOS
Platform to generate a greater impact, but for other platforms, the attacker can in a minute or so to successfully trigger this vulnerability, and therefore its impact is still relatively serious.
{"published": "2017-06-07T00:00:00", "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2017-06-07T13:16:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2536"]}, {"type": "zdi", "idList": ["ZDI-17-358"]}, {"type": "exploitdb", "idList": ["EDB-ID:42125"]}, {"type": "seebug", "idList": ["SSV:93177"]}, {"type": "zdt", "idList": ["1337DAY-ID-27902"]}, {"type": "apple", "idList": ["APPLE:HT207804", "APPLE:HT207801", "APPLE:HT207798"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201706-15.NASL", "MACOSX_SAFARI10_1_1.NASL", "APPLETV_10_2_1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810988"]}, {"type": "gentoo", "idList": ["GLSA-201706-15"]}], "modified": "2017-06-07T13:16:49", "rev": 2}, "vulnersScore": 6.8}, "id": "MYHACK58:62201786811", "title": "How to use JavaScript array extensions integer overflow vulnerabilities in WebKit-a vulnerability warning-the black bar safety net", "bulletinFamily": "info", "viewCount": 56, "edition": 1, "reporter": "\u4f5a\u540d", "references": [], "type": "myhack58", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "I will be in this article to tell you about the vulnerability, CVE-2017-2536/ZDI-17-358, which is a typical plastic overflow vulnerability, when the system is in the calculation of the allocated space size, the vulnerability will likely lead to a heap buffer overflow. We not only give you a\u201csnappy\u201dvulnerability PoC, and we also design for Safari 10.1 full use of loopholes in the programme, so everything will be very interesting!\n\nNote: This function was originally in order to allow JavaScriptCore to better deal with the ECMAScript 6 extended operation and design, but saelo in February of this year found in which the presence of security issues.\n\nVulnerability analysis\n\nBelow is the JavaScript in an array of extended operation when build a new array of the use to the code:\n\nSLOW_PATH_DECL(slow_path_new_array_with_spread) \n{ \nBEGIN(); \nint numItems = pc[3]. u. operand; \nASSERT(numItems >= 0); \nconst BitVector& bitVector = exec->codeBlock()->unlinkedCodeBlock()->bitVector(pc[4]. u. unsignedValue); \nWhether the* values = bitwise_cast<Whether the*>(&OP(2)); \n// [[ 1 ]] \nunsigned arraySize = 0; \nfor (int i = 0; i < numItems; i++) { \nif (bitVector. get(i)) { \nWhether the value = values [--i]; \nJSFixedArray* array = jsCast<JSFixedArray*>(value); \narraySize += array->size(); \n} else \narraySize += 1; \n} \nJSGlobalObject* globalObject = exec->lexicalGlobalObject(); \nStructure* structure = globalObject->arrayStructureForIndexingTypeDuringallocation(ArrayWithContiguous); \nJSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize); \nCHECK_EXCEPTION(); \n// [[ 2 ]] \nunsigned index = 0; \nfor (int i = 0; i < numItems; i++) { \nWhether the value = values [--i]; \nif (bitVector. get(i)) { \n// We are spreading. \nJSFixedArray* array = jsCast<JSFixedArray*>(value); \nfor (unsigned i = 0; i < array->size(); i++) { \nRELEASE_ASSERT(array->get(i)); \nresult->initializeIndex(vm, index, array->get(i)); \n++index; \n} \n} else { \n// We are not spreading. \nresult->initializeIndex(vm, index, value); \n++index; \n} \n} \nRETURN(result); \n} \nPlease see the above code labeled[[1]]part, the function first computes an output array of length size, the program will later in[[2]]for space allocation and initialization. However, in this case the calculated array length of space is likely to occur the overflow, and causing a similar array is allocated.\n\nBecause JSObject::initializeIndex does not perform any boundary detection, in order to confirm this, Please first have a look below this paragraph of code:\n\n/* ... */ \ncase ALL_CONTIGUOUS_INDEXING_TYPES: { \nASSERT(i < a butterfly->publicLength()); \nASSERT(i < a butterfly->vectorLength()); \nbutterfly->contiguous()[i]. set(vm, this, v); \nbreak; \n} \n/* ... */ \nIf the data occurs cross-border, so this time there will be a heap buffer overflow problem. This vulnerability can be through the following script code to trigger:\n\nvar a = new Array(0x7fffffff); \nvar x = [13, 37, ...a, ...a]; \nIn this case, a length of 0 the JSArray object will be created, and then to the JSArray object in the copy of the 2^32 elements in, our browser don't want to see such things happen.\n\nOf course, you want to solve this problem also is not difficult. We only need to add one for the plastic overflow detection function of the time can fix this problem. \u3010Bug fix plan\n\nExploit\n\nAlthough the above given PoC code will many times use an array, but the JavaScriptCore will still be in every time the array expansion operation is assigned a JSFixedArray objects, see the labels[[2]]The following code. As a result, the system will allocate about forty billion a JSValues object, these JSValues object will occupy approximately 32GiB of RAM space. But fortunately, due to the macOS kernel introduced page compression function, so this problem does not on macOS\n\nPlatform to generate a greater impact, but for other platforms, the attacker can in a minute or so to successfully trigger this vulnerability, and therefore its impact is still relatively serious.\n\n**[1] [[2]](<86811_2.htm>) [next](<86811_2.htm>)**\n", "cvelist": ["CVE-2017-2536"], "href": "http://www.myhack58.com/Article/html/3/62/2017/86811.htm", "modified": "2017-06-07T00:00:00", "lastseen": "2017-06-07T13:16:49"}
{"cve": [{"lastseen": "2020-12-09T20:13:30", "description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-22T05:29:00", "title": "CVE-2017-2536", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2536"], "modified": "2019-03-08T16:06:00", "cpe": ["cpe:/a:apple:safari:10.1", "cpe:/o:apple:tvos:10.2", "cpe:/o:apple:iphone_os:10.3.1"], "id": "CVE-2017-2536", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2536", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:safari:10.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:tvos:10.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:iphone_os:10.3.1:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-03-17T03:14:13", "description": "Exploit for macOS platform in category remote exploits", "edition": 1, "published": "2017-06-06T00:00:00", "title": "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2536"], "modified": "2017-06-06T00:00:00", "href": "https://0day.today/exploit/description/27902", "id": "1337DAY-ID-27902", "sourceData": "Sources:\r\nhttps://phoenhex.re/2017-06-02/arrayspread\r\nhttps://github.com/phoenhex/files/blob/master/exploits/spread-overflow\r\n \r\nJavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn\u2019t much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.\r\n \r\nWhat is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:\r\n \r\n- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.\r\n- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.\r\n- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.\r\n- Allocate 4 GiB of padding using JSArrays.\r\n- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).\r\n \r\nThe target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.\r\n \r\nIn our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1). \r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42125.zip\n\n# 0day.today [2018-03-17] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27902"}], "zdi": [{"lastseen": "2020-06-22T11:39:54", "bulletinFamily": "info", "cvelist": ["CVE-2017-2536"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the spread operator. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.", "modified": "2017-06-22T00:00:00", "published": "2017-05-18T00:00:00", "id": "ZDI-17-358", "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-358/", "title": "(Pwn2Own) Apple Safari Spread Operator Integer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2018-11-30T12:32:45", "description": "", "published": "2017-06-06T00:00:00", "type": "exploitdb", "title": "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2536"], "modified": "2017-06-06T00:00:00", "id": "EDB-ID:42125", "href": "https://www.exploit-db.com/exploits/42125", "sourceData": "Sources:\r\nhttps://phoenhex.re/2017-06-02/arrayspread\r\nhttps://github.com/phoenhex/files/blob/master/exploits/spread-overflow\r\n\r\nJavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn\u2019t much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.\r\n\r\nWhat is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:\r\n\r\n- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.\r\n- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.\r\n- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.\r\n- Allocate 4 GiB of padding using JSArrays.\r\n- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).\r\n\r\nThe target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.\r\n\r\nIn our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1). \r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42125.zip", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42125"}], "seebug": [{"lastseen": "2017-11-19T11:57:35", "description": "This article is about [CVE-2017-2536](https://support.apple.com/en-us/HT207804) / [ZDI-17-358](http://www.zerodayinitiative.com/advisories/ZDI-17-358/), a classic integer overflow while computing an allocation size, leading to a heap-based buffer overflow. It was introduced in [99ed479](https://github.com/WebKit/webkit/commit/99ed47942b1dcf935accb23b355bc8a2e93650c9), which improved the way JavaScriptCore handled ECMAScript 6 spreading operations, and discovered by saelo in February. The PoC is short enough to fit into a tweet, and we have a fully working exploit for Safari 10.1, so this is going to be fun!\r\n\r\n### The Bug\r\nThe following code is used when constructing an array through [spread operations](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Operators/Spread_operator):\r\n```\r\nSLOW_PATH_DECL(slow_path_new_array_with_spread)\r\n{\r\n BEGIN();\r\n int numItems = pc[3].u.operand;\r\n ASSERT(numItems >= 0);\r\n const BitVector& bitVector = exec->codeBlock()->unlinkedCodeBlock()->bitVector(pc[4].u.unsignedValue);\r\n\r\n JSValue* values = bitwise_cast<JSValue*>(&OP(2));\r\n\r\n // [[ 1 ]]\r\n unsigned arraySize = 0;\r\n for (int i = 0; i < numItems; i++) {\r\n if (bitVector.get(i)) {\r\n JSValue value = values[-i];\r\n JSFixedArray* array = jsCast<JSFixedArray*>(value);\r\n arraySize += array->size();\r\n } else\r\n arraySize += 1;\r\n }\r\n\r\n JSGlobalObject* globalObject = exec->lexicalGlobalObject();\r\n Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);\r\n\r\n JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);\r\n CHECK_EXCEPTION();\r\n\r\n // [[ 2 ]]\r\n unsigned index = 0;\r\n for (int i = 0; i < numItems; i++) {\r\n JSValue value = values[-i];\r\n if (bitVector.get(i)) {\r\n // We are spreading.\r\n JSFixedArray* array = jsCast<JSFixedArray*>(value);\r\n for (unsigned i = 0; i < array->size(); i++) {\r\n RELEASE_ASSERT(array->get(i));\r\n result->initializeIndex(vm, index, array->get(i));\r\n ++index;\r\n }\r\n } else {\r\n // We are not spreading.\r\n result->initializeIndex(vm, index, value);\r\n ++index;\r\n }\r\n }\r\n\r\n RETURN(result);\r\n}\r\n```\r\nAt [[ 1 ]], the function computes the size of the output array, which it allocates and initializes at [[ 2 ]]. However, the size computation can overflow, causing a smaller array to be allocated. JSObject::initializeIndex does not perform any bounds checks as can be seen in the following piece of code:\r\n```\r\n/* ... */\r\n\r\ncase ALL_CONTIGUOUS_INDEXING_TYPES: {\r\n ASSERT(i < butterfly->publicLength());\r\n ASSERT(i < butterfly->vectorLength());\r\n butterfly->contiguous()[i].set(vm, this, v);\r\n break;\r\n}\r\n\r\n/* ... */\r\n```\r\nAs such, a heap buffer overflow occurs. The bug can be triggered through the following script:\r\n```\r\nvar a = new Array(0x7fffffff);\r\nvar x = [13, 37, ...a, ...a];\r\n```\r\nA JSArray of size 0 is allocated, and then 232 elements get copied into it, which the browser does not like very much.\r\n\r\nThe [patch](https://github.com/WebKit/webkit/commit/61dbb71d92f6a9e5a72c5f784eb5ed11495b3ff7) for this bug simply adds integer overflow checks to all affected tiers (interpreter + JITs).\r\n\r\n### Exploitation\r\nEven though the PoC code given above uses a single array multiple times, JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn\u2019t much of a problem [due to the page compression performed by the macOS kernel](https://arstechnica.com/apple/2013/10/os-x-10-9/17/). It will, however, take roughly a minute to trigger the bug.\r\n\r\nWhat is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:\r\n\r\n1. Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.\r\n2. Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.\r\n3. Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.\r\n4. Allocate 4 GiB of padding using JSArrays.\r\n5. Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).\r\n\r\nThe target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the [JavaScriptCore phrack paper](http://phrack.com/papers/attacking_javascript_engines.html) which can then be used to write code to a JIT page and jump to it.\r\n\r\nIn our exploit we perform step 5 in a separate [web worker](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers), so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1). The full exploit can be found on our [GitHub](https://github.com/phoenhex/files/blob/master/exploits/spread-overflow).", "published": "2017-06-05T00:00:00", "type": "seebug", "title": "Exploiting an integer overflow with array spreading (WebKit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2536"], "modified": "2017-06-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93177", "id": "SSV:93177", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T01:20:56", "description": "According to its banner, the version of Apple TV on the remote device\nis prior to 10.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A memory corruption issue exists in the WebKit Web\n Inspector component that allows an unauthenticated,\n remote attacker to execute arbitrary code.\n (CVE-2017-2499)\n\n - An unspecified race condition exists in the Kernel\n component that allows a local attacker to execute\n arbitrary code with kernel-level privileges.\n (CVE-2017-2501)\n\n - An information disclosure vulnerability exists in the\n CoreAudio component due to improper sanitization of\n certain input. A local attacker can exploit this to read\n the contents of restricted memory. (CVE-2017-2502)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit due to a logic flaw when handling\n WebKit Editor commands. An unauthenticated, remote\n attacker can exploit this, via a specially crafted web\n page, to execute arbitrary script code in a user's\n browser session. (CVE-2017-2504)\n\n - Multiple memory corruption issues exist in WebKit due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit these to\n execute arbitrary code. (CVE-2017-2505, CVE-2017-2515,\n CVE-2017-2521, CVE-2017-2530, CVE-2017-2531,\n CVE-2017-6980, CVE-2017-6984)\n\n - Multiple information disclosure vulnerabilities exist\n in the Kernel component due to improper sanitization of\n certain input. A local attacker can exploit these to\n read the contents of restricted memory. (CVE-2017-2507,\n CVE-2017-6987)\n\n - A use-after-free error exists in the SQLite component\n when handling SQL queries. An unauthenticated, remote\n attacker can exploit this to deference already freed\n memory, resulting in the execution of arbitrary code.\n (CVE-2017-2513)\n\n - Multiple buffer overflow conditions exist in the SQLite\n component due to the improper validation of certain\n input. An unauthenticated, remote attacker can exploit\n these, via a specially crafted SQL query, to execute\n arbitrary code. (CVE-2017-2518, CVE-2017-2520)\n\n - A memory corruption issue exists in the SQLite component\n when handling SQL queries. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n query, to execute arbitrary code. (CVE-2017-2519)\n\n - An unspecified memory corruption issue exists in the\n TextInput component when parsing specially crafted data.\n An unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2017-2524)\n\n - A use-after-free error exists in WebKit when handling\n RenderLayer objects. An unauthenticated, remote attacker\n can exploit this, via a specially crafted web page, to\n deference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2017-2525)\n\n - Multiple unspecified flaws exist in WebKit that allow\n an unauthenticated, remote attacker to corrupt memory\n and execute arbitrary code by using specially crafted\n web content. (CVE-2017-2536)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit due to a logic error when handling\n frame loading. An unauthenticated, remote attacker can\n exploit this, via a specially crafted web page, to\n execute arbitrary code in a user's browser session.\n (CVE-2017-2549)\n\n - An unspecified flaw exists in the IOSurface component\n that allows a local attacker to corrupt memory and\n execute arbitrary code with kernel-level privileges.\n (CVE-2017-6979)\n\n - An unspecified flaw exists in the AVEVideoEncoder\n component that allows a local attacker, via a specially\n crafted application, to corrupt memory and execute\n arbitrary code with kernel-level privileges.\n (CVE-2017-6989)\n\n - A denial of service vulnerability exists in the\n CoreText component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted file, to crash\n an application. (CVE-2017-7003)\n\n - A memory corruption issue exists in the JavaScriptCore\n component due to improper validation of user-supplied\n input. An unauthenticated, remote attacker can exploit\n this, via specially crafted web content, to cause a\n denial of service condition or the execution of\n arbitrary code. (CVE-2017-7005)\n\nNote that only 4th generation models are affected by these\nvulnerabilities.", "edition": 33, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-05-17T00:00:00", "title": "Apple TV < 10.2.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6979", "CVE-2017-2520", "CVE-2017-7005", "CVE-2017-2499", "CVE-2017-2502", "CVE-2017-2531", "CVE-2017-6984", "CVE-2017-2549", "CVE-2017-2530", "CVE-2017-2524", "CVE-2017-2504", "CVE-2017-2515", "CVE-2017-2518", "CVE-2017-2521", "CVE-2017-2505", "CVE-2017-2519", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-7003", "CVE-2017-6989", "CVE-2017-2501", "CVE-2017-2525", "CVE-2017-2507", "CVE-2017-2513", "CVE-2017-6987"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_10_2_1.NASL", "href": "https://www.tenable.com/plugins/nessus/100256", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100256);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-2499\",\n \"CVE-2017-2501\",\n \"CVE-2017-2502\",\n \"CVE-2017-2504\",\n \"CVE-2017-2505\",\n \"CVE-2017-2507\",\n \"CVE-2017-2513\",\n \"CVE-2017-2515\",\n \"CVE-2017-2518\",\n \"CVE-2017-2519\",\n \"CVE-2017-2520\",\n \"CVE-2017-2521\",\n \"CVE-2017-2524\",\n \"CVE-2017-2525\",\n \"CVE-2017-2530\",\n \"CVE-2017-2531\",\n \"CVE-2017-2536\",\n \"CVE-2017-2549\",\n \"CVE-2017-6979\",\n \"CVE-2017-6980\",\n \"CVE-2017-6984\",\n \"CVE-2017-6987\",\n \"CVE-2017-6989\",\n \"CVE-2017-7003\",\n \"CVE-2017-7005\"\n );\n script_bugtraq_id(\n 98454,\n 98455,\n 98456,\n 98457,\n 98468,\n 98473\n );\n\n script_name(english:\"Apple TV < 10.2.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 10.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A memory corruption issue exists in the WebKit Web\n Inspector component that allows an unauthenticated,\n remote attacker to execute arbitrary code.\n (CVE-2017-2499)\n\n - An unspecified race condition exists in the Kernel\n component that allows a local attacker to execute\n arbitrary code with kernel-level privileges.\n (CVE-2017-2501)\n\n - An information disclosure vulnerability exists in the\n CoreAudio component due to improper sanitization of\n certain input. A local attacker can exploit this to read\n the contents of restricted memory. (CVE-2017-2502)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit due to a logic flaw when handling\n WebKit Editor commands. An unauthenticated, remote\n attacker can exploit this, via a specially crafted web\n page, to execute arbitrary script code in a user's\n browser session. (CVE-2017-2504)\n\n - Multiple memory corruption issues exist in WebKit due to\n improper validation of certain input. An\n unauthenticated, remote attacker can exploit these to\n execute arbitrary code. (CVE-2017-2505, CVE-2017-2515,\n CVE-2017-2521, CVE-2017-2530, CVE-2017-2531,\n CVE-2017-6980, CVE-2017-6984)\n\n - Multiple information disclosure vulnerabilities exist\n in the Kernel component due to improper sanitization of\n certain input. A local attacker can exploit these to\n read the contents of restricted memory. (CVE-2017-2507,\n CVE-2017-6987)\n\n - A use-after-free error exists in the SQLite component\n when handling SQL queries. An unauthenticated, remote\n attacker can exploit this to deference already freed\n memory, resulting in the execution of arbitrary code.\n (CVE-2017-2513)\n\n - Multiple buffer overflow conditions exist in the SQLite\n component due to the improper validation of certain\n input. An unauthenticated, remote attacker can exploit\n these, via a specially crafted SQL query, to execute\n arbitrary code. (CVE-2017-2518, CVE-2017-2520)\n\n - A memory corruption issue exists in the SQLite component\n when handling SQL queries. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n query, to execute arbitrary code. (CVE-2017-2519)\n\n - An unspecified memory corruption issue exists in the\n TextInput component when parsing specially crafted data.\n An unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2017-2524)\n\n - A use-after-free error exists in WebKit when handling\n RenderLayer objects. An unauthenticated, remote attacker\n can exploit this, via a specially crafted web page, to\n deference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2017-2525)\n\n - Multiple unspecified flaws exist in WebKit that allow\n an unauthenticated, remote attacker to corrupt memory\n and execute arbitrary code by using specially crafted\n web content. (CVE-2017-2536)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in WebKit due to a logic error when handling\n frame loading. An unauthenticated, remote attacker can\n exploit this, via a specially crafted web page, to\n execute arbitrary code in a user's browser session.\n (CVE-2017-2549)\n\n - An unspecified flaw exists in the IOSurface component\n that allows a local attacker to corrupt memory and\n execute arbitrary code with kernel-level privileges.\n (CVE-2017-6979)\n\n - An unspecified flaw exists in the AVEVideoEncoder\n component that allows a local attacker, via a specially\n crafted application, to corrupt memory and execute\n arbitrary code with kernel-level privileges.\n (CVE-2017-6989)\n\n - A denial of service vulnerability exists in the\n CoreText component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted file, to crash\n an application. (CVE-2017-7003)\n\n - A memory corruption issue exists in the JavaScriptCore\n component due to improper validation of user-supplied\n input. An unauthenticated, remote attacker can exploit\n this, via specially crafted web content, to cause a\n denial of service condition or the execution of\n arbitrary code. (CVE-2017-7005)\n\nNote that only 4th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207801\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 10.2.1 or later. Note that this update is\nonly available for 4th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-6989\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\nfixed_build = \"14W585a\";\ntvos_ver = '10.2.1';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : 4,\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE,\n xss : TRUE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T03:24:00", "description": "The version of Apple Safari installed on the remote macOS or Mac OS X\nhost is prior to 10.1.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists in the history menu\n functionality. An unauthenticated, remote attacker can\n exploit this to cause a denial of service condition.\n (CVE-2017-2495)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of user-supplied\n input. An unauthenticated, remote attacker can exploit\n these issues, by convincing a user to visit a specially\n crafted website, to execute arbitrary code.\n (CVE-2017-2496, CVE-2017-2505, CVE-2017-2506,\n CVE-2017-2514, CVE-2017-2515, CVE-2017-2521,\n CVE-2017-2525, CVE-2017-2526, CVE-2017-2530,\n CVE-2017-2531, CVE-2017-2538, CVE-2017-2539,\n CVE-2017-2544, CVE-2017-2547, CVE-2017-6980,\n CVE-2017-6984)\n\n - A memory corruption issue exists in the WebKit Web\n Inspector component that allows an unauthenticated,\n remote attacker to execute arbitrary code.\n (CVE-2017-2499)\n\n - An address bar spoofing vulnerability exists due to\n improper state management. An unauthenticated, remote\n attacker can exploit this to spoof the address in the\n address bar. (CVE-2017-2500, CVE-2017-2511)\n\n - Multiple universal cross-site scripting (XSS)\n vulnerabilities exist in WebKit due to improper handling\n of WebKit Editor commands, container nodes, pageshow\n events, frame loading, and cached frames. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted web page, to execute arbitrary script\n code in a user's browser session. (CVE-2017-2504,\n CVE-2017-2508, CVE-2017-2510, CVE-2017-2528,\n CVE-2017-2549)\n\n - Multiple unspecified flaws exist in WebKit that allow\n an unauthenticated, remote attacker to corrupt memory\n and execute arbitrary code by using specially crafted\n web content. (CVE-2017-2536)", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-05-23T00:00:00", "title": "macOS : Apple Safari < 10.1.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2500", "CVE-2017-2506", "CVE-2017-2539", "CVE-2017-2499", "CVE-2017-2511", "CVE-2017-2547", "CVE-2017-2531", "CVE-2017-2538", "CVE-2017-6984", "CVE-2017-2549", "CVE-2017-2530", "CVE-2017-2544", "CVE-2017-2495", "CVE-2017-2504", "CVE-2017-2515", "CVE-2017-2528", "CVE-2017-2521", "CVE-2017-2505", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-2496", "CVE-2017-2508", "CVE-2017-2514", "CVE-2017-2526", "CVE-2017-2525", "CVE-2017-2510"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apple:safari"], "id": "MACOSX_SAFARI10_1_1.NASL", "href": "https://www.tenable.com/plugins/nessus/100355", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100355);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-2495\",\n \"CVE-2017-2496\",\n \"CVE-2017-2499\",\n \"CVE-2017-2500\",\n \"CVE-2017-2504\",\n \"CVE-2017-2505\",\n \"CVE-2017-2506\",\n \"CVE-2017-2508\",\n \"CVE-2017-2510\",\n \"CVE-2017-2511\",\n \"CVE-2017-2514\",\n \"CVE-2017-2515\",\n \"CVE-2017-2521\",\n \"CVE-2017-2525\",\n \"CVE-2017-2526\",\n \"CVE-2017-2528\",\n \"CVE-2017-2530\",\n \"CVE-2017-2531\",\n \"CVE-2017-2536\",\n \"CVE-2017-2538\",\n \"CVE-2017-2539\",\n \"CVE-2017-2544\",\n \"CVE-2017-2547\",\n \"CVE-2017-2549\",\n \"CVE-2017-6980\",\n \"CVE-2017-6984\"\n );\n script_bugtraq_id(\n 98454,\n 98455,\n 98456,\n 98470,\n 98473,\n 98474\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-05-15-7\");\n\n script_name(english:\"macOS : Apple Safari < 10.1.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Safari version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple Safari installed on the remote macOS or Mac OS X\nhost is prior to 10.1.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists in the history menu\n functionality. An unauthenticated, remote attacker can\n exploit this to cause a denial of service condition.\n (CVE-2017-2495)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of user-supplied\n input. An unauthenticated, remote attacker can exploit\n these issues, by convincing a user to visit a specially\n crafted website, to execute arbitrary code.\n (CVE-2017-2496, CVE-2017-2505, CVE-2017-2506,\n CVE-2017-2514, CVE-2017-2515, CVE-2017-2521,\n CVE-2017-2525, CVE-2017-2526, CVE-2017-2530,\n CVE-2017-2531, CVE-2017-2538, CVE-2017-2539,\n CVE-2017-2544, CVE-2017-2547, CVE-2017-6980,\n CVE-2017-6984)\n\n - A memory corruption issue exists in the WebKit Web\n Inspector component that allows an unauthenticated,\n remote attacker to execute arbitrary code.\n (CVE-2017-2499)\n\n - An address bar spoofing vulnerability exists due to\n improper state management. An unauthenticated, remote\n attacker can exploit this to spoof the address in the\n address bar. (CVE-2017-2500, CVE-2017-2511)\n\n - Multiple universal cross-site scripting (XSS)\n vulnerabilities exist in WebKit due to improper handling\n of WebKit Editor commands, container nodes, pageshow\n events, frame loading, and cached frames. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted web page, to execute arbitrary script\n code in a user's browser session. (CVE-2017-2504,\n CVE-2017-2508, CVE-2017-2510, CVE-2017-2528,\n CVE-2017-2549)\n\n - Multiple unspecified flaws exist in WebKit that allow\n an unauthenticated, remote attacker to corrupt memory\n and execute arbitrary code by using specially crafted\n web content. (CVE-2017-2536)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207804\");\n # https://lists.apple.com/archives/security-announce/2017/May/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7a320df7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple Safari version 10.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-6984\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:safari\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_Safari31.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Safari/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X or macOS\");\n\nif (!ereg(pattern:\"Mac OS X 10\\.(10|11|12)([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X Yosemite 10.10 / Mac OS X El Capitan 10.11 / macOS Sierra 10.12\");\n\ninstalled = get_kb_item_or_exit(\"MacOSX/Safari/Installed\", exit_code:0);\npath = get_kb_item_or_exit(\"MacOSX/Safari/Path\", exit_code:1);\nversion = get_kb_item_or_exit(\"MacOSX/Safari/Version\", exit_code:1);\n\nfixed_version = \"10.1.1\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n report = report_items_str(\n report_items:make_array(\n \"Path\", path,\n \"Installed version\", version,\n \"Fixed version\", fixed_version\n ),\n ordered_fields:make_list(\"Path\", \"Installed version\", \"Fixed version\")\n );\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report, xss:true);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Safari\", version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:06:06", "description": "The remote host is affected by the vulnerability described in GLSA-201706-15\n(WebKitGTK+: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in WebKitGTK+. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attack can use multiple vectors to execute arbitrary code or\n cause a denial of service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-06-08T00:00:00", "title": "GLSA-201706-15 : WebKitGTK+: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2369", "CVE-2016-7648", "CVE-2016-7646", "CVE-2016-1725", "CVE-2015-2330", "CVE-2016-9643", "CVE-2017-2506", "CVE-2017-2355", "CVE-2016-1728", "CVE-2017-2442", "CVE-2017-2395", "CVE-2016-7599", "CVE-2016-4743", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2016-7623", "CVE-2017-2447", "CVE-2016-7645", "CVE-2017-2366", "CVE-2017-2433", "CVE-2016-7589", "CVE-2017-2459", "CVE-2016-7586", "CVE-2017-2454", "CVE-2017-2471", "CVE-2017-2547", "CVE-2017-2531", "CVE-2016-7640", "CVE-2017-2455", "CVE-2017-6984", "CVE-2017-2365", "CVE-2015-7098", "CVE-2017-2549", "CVE-2017-2470", "CVE-2017-2469", "CVE-2016-1727", "CVE-2017-2464", "CVE-2017-2530", "CVE-2017-2396", "CVE-2016-7642", "CVE-2017-2544", "CVE-2017-2465", "CVE-2016-1723", "CVE-2017-2446", "CVE-2017-2405", "CVE-2017-2475", "CVE-2016-1726", "CVE-2017-2504", "CVE-2017-2468", "CVE-2016-7610", "CVE-2016-7611", "CVE-2017-2515", "CVE-2016-7641", "CVE-2017-2528", "CVE-2017-2376", "CVE-2017-2419", "CVE-2016-7635", "CVE-2017-2371", "CVE-2015-7096", "CVE-2017-2377", "CVE-2017-2521", "CVE-2016-7652", "CVE-2016-7632", "CVE-2017-2505", "CVE-2016-1724", "CVE-2017-2466", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-2373", "CVE-2017-2508", "CVE-2017-2514", "CVE-2017-2481", "CVE-2016-7598", "CVE-2017-2392", "CVE-2017-2356", "CVE-2016-7649", "CVE-2016-9642", "CVE-2016-7587", "CVE-2017-2415", "CVE-2016-7639", "CVE-2016-7592", "CVE-2016-7656", "CVE-2017-2526", "CVE-2016-4692", "CVE-2017-2525", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-2394", "CVE-2017-2457", "CVE-2017-2367", "CVE-2017-2386", "CVE-2017-2460", "CVE-2017-2445", "CVE-2017-2476", "CVE-2017-2354"], "modified": "2017-06-08T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:webkit-gtk"], "id": "GENTOO_GLSA-201706-15.NASL", "href": "https://www.tenable.com/plugins/nessus/100675", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201706-15.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100675);\n script_version(\"3.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-2330\", \"CVE-2015-7096\", \"CVE-2015-7098\", \"CVE-2016-1723\", \"CVE-2016-1724\", \"CVE-2016-1725\", \"CVE-2016-1726\", \"CVE-2016-1727\", \"CVE-2016-1728\", \"CVE-2016-4692\", \"CVE-2016-4743\", \"CVE-2016-7586\", \"CVE-2016-7587\", \"CVE-2016-7589\", \"CVE-2016-7592\", \"CVE-2016-7598\", \"CVE-2016-7599\", \"CVE-2016-7610\", \"CVE-2016-7611\", \"CVE-2016-7623\", \"CVE-2016-7632\", \"CVE-2016-7635\", \"CVE-2016-7639\", \"CVE-2016-7640\", \"CVE-2016-7641\", \"CVE-2016-7642\", \"CVE-2016-7645\", \"CVE-2016-7646\", \"CVE-2016-7648\", \"CVE-2016-7649\", \"CVE-2016-7652\", \"CVE-2016-7654\", \"CVE-2016-7656\", \"CVE-2016-9642\", \"CVE-2016-9643\", \"CVE-2017-2350\", \"CVE-2017-2354\", \"CVE-2017-2355\", \"CVE-2017-2356\", \"CVE-2017-2362\", \"CVE-2017-2363\", \"CVE-2017-2364\", \"CVE-2017-2365\", \"CVE-2017-2366\", \"CVE-2017-2367\", \"CVE-2017-2369\", \"CVE-2017-2371\", \"CVE-2017-2373\", \"CVE-2017-2376\", \"CVE-2017-2377\", \"CVE-2017-2386\", \"CVE-2017-2392\", \"CVE-2017-2394\", \"CVE-2017-2395\", \"CVE-2017-2396\", \"CVE-2017-2405\", \"CVE-2017-2415\", \"CVE-2017-2419\", \"CVE-2017-2433\", \"CVE-2017-2442\", \"CVE-2017-2445\", \"CVE-2017-2446\", \"CVE-2017-2447\", \"CVE-2017-2454\", \"CVE-2017-2455\", \"CVE-2017-2457\", \"CVE-2017-2459\", \"CVE-2017-2460\", \"CVE-2017-2464\", \"CVE-2017-2465\", \"CVE-2017-2466\", \"CVE-2017-2468\", \"CVE-2017-2469\", \"CVE-2017-2470\", \"CVE-2017-2471\", \"CVE-2017-2475\", \"CVE-2017-2476\", \"CVE-2017-2481\", \"CVE-2017-2496\", \"CVE-2017-2504\", \"CVE-2017-2505\", \"CVE-2017-2506\", \"CVE-2017-2508\", \"CVE-2017-2510\", \"CVE-2017-2514\", \"CVE-2017-2515\", \"CVE-2017-2521\", \"CVE-2017-2525\", \"CVE-2017-2526\", \"CVE-2017-2528\", \"CVE-2017-2530\", \"CVE-2017-2531\", \"CVE-2017-2536\", \"CVE-2017-2539\", \"CVE-2017-2544\", \"CVE-2017-2547\", \"CVE-2017-2549\", \"CVE-2017-6980\", \"CVE-2017-6984\");\n script_xref(name:\"GLSA\", value:\"201706-15\");\n\n script_name(english:\"GLSA-201706-15 : WebKitGTK+: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201706-15\n(WebKitGTK+: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in WebKitGTK+. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attack can use multiple vectors to execute arbitrary code or\n cause a denial of service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201706-15\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All WebKitGTK+ users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-libs/webkit-gtk-2.16.3:4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:webkit-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-libs/webkit-gtk\", unaffected:make_list(\"ge 2.16.3\"), vulnerable:make_list(\"lt 2.16.3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"WebKitGTK+\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-07-17T14:22:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2500", "CVE-2017-2506", "CVE-2017-2539", "CVE-2017-2499", "CVE-2017-2511", "CVE-2017-2547", "CVE-2017-2531", "CVE-2017-2538", "CVE-2017-6984", "CVE-2017-2549", "CVE-2017-2530", "CVE-2017-2544", "CVE-2017-2495", "CVE-2017-2504", "CVE-2017-2515", "CVE-2017-2528", "CVE-2017-2521", "CVE-2017-2505", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-2496", "CVE-2017-2508", "CVE-2017-2514", "CVE-2017-2526", "CVE-2017-2525", "CVE-2017-2510"], "description": "This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-05-16T00:00:00", "id": "OPENVAS:1361412562310810988", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810988", "type": "openvas", "title": "Apple Safari Multiple Vulnerabilities-HT207804", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Safari Multiple Vulnerabilities-HT207804\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:safari\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810988\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2017-2495\", \"CVE-2017-2500\", \"CVE-2017-2511\", \"CVE-2017-2496\",\n \"CVE-2017-2505\", \"CVE-2017-2506\", \"CVE-2017-2514\", \"CVE-2017-2515\",\n \"CVE-2017-2521\", \"CVE-2017-2525\", \"CVE-2017-2526\", \"CVE-2017-2530\",\n \"CVE-2017-2531\", \"CVE-2017-2538\", \"CVE-2017-2539\", \"CVE-2017-2544\",\n \"CVE-2017-2547\", \"CVE-2017-6980\", \"CVE-2017-6984\", \"CVE-2017-2504\",\n \"CVE-2017-2508\", \"CVE-2017-2510\", \"CVE-2017-2528\", \"CVE-2017-2536\",\n \"CVE-2017-2549\", \"CVE-2017-2499\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-16 12:56:34 +0530 (Tue, 16 May 2017)\");\n script_name(\"Apple Safari Multiple Vulnerabilities-HT207804\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An inconsistent user interface issue.\n\n - An issue in Safari's history menu.\n\n - Multiple memory corruption issues.\n\n - A logic issue existed in the handling of WebKit Editor commands.\n\n - A logic issue existed in the handling of WebKit container nodes.\n\n - A logic issue existed in the handling of pageshow events.\n\n - A logic issue existed in the handling of WebKit cached frames.\n\n - A logic issue existed in frame loading.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct cross site scripting and spoofing attacks and can also\n lead to arbitrary code execution and application denial of service.\");\n\n script_tag(name:\"affected\", value:\"Apple Safari versions before 10.1.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Safari 10.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207804\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"macosx_safari_detect.nasl\");\n script_mandatory_keys(\"AppleSafari/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!safVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:safVer, test_version:\"10.1.1\"))\n{\n report = report_fixed_ver(installed_version:safVer, fixed_version:\"10.1.1\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "apple": [{"lastseen": "2020-12-24T20:42:15", "bulletinFamily": "software", "cvelist": ["CVE-2017-2500", "CVE-2017-2506", "CVE-2017-7005", "CVE-2017-2539", "CVE-2017-2499", "CVE-2017-2511", "CVE-2017-2547", "CVE-2017-2531", "CVE-2017-2538", "CVE-2017-6984", "CVE-2017-2549", "CVE-2017-2530", "CVE-2017-2544", "CVE-2017-2495", "CVE-2017-2504", "CVE-2017-2515", "CVE-2017-2528", "CVE-2017-2521", "CVE-2017-2505", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-2496", "CVE-2017-2508", "CVE-2017-2514", "CVE-2017-2526", "CVE-2017-2525", "CVE-2017-2510"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## Safari 10.1.1\n\nReleased May 15, 2017\n\n**JavaScriptCore**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7005: lokihardt of Google Project Zero\n\nEntry added June 9, 2017\n\n**Safari**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Visiting a maliciously crafted webpage may lead to an application denial of service\n\nDescription: An issue in Safari's history menu was addressed through improved memory handling.\n\nCVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc.\n\n**Safari**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-2500: Zhiyang Zeng and Yuyang Zhou of Tencent Security Platform Department\n\nCVE-2017-2511: Zhiyang Zeng of Tencent Security Platform Department\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-2496: Apple\n\nCVE-2017-2505: lokihardt of Google Project Zero\n\nCVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2514: lokihardt of Google Project Zero\n\nCVE-2017-2515: lokihardt of Google Project Zero\n\nCVE-2017-2521: lokihardt of Google Project Zero\n\nCVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent\u2019s Xuanwu Lab (tencent.com) working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2526: Kai Kang (4B5F5F4B) of Tencent\u2019s Xuanwu Lab (tencent.com) working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2530: Wei Yuan of Baidu Security Lab, Zheng Huang of the Baidu Security Lab working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2531: lokihardt of Google Project Zero\n\nCVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-2547: lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-6980: lokihardt of Google Project Zero\n\nCVE-2017-6984: lokihardt of Google Project Zero\n\nEntry updated June 20, 2017\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.\n\nCVE-2017-2504: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management.\n\nCVE-2017-2508: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management.\n\nCVE-2017-2510: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management.\n\nCVE-2017-2528: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues with addressed through improved memory handling.\n\nCVE-2017-2536: Samuel Gro\u00df and Niklas Baumstark working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in frame loading. This issue was addressed with improved state management.\n\nCVE-2017-2549: lokihardt of Google Project Zero\n\n**WebKit Web Inspector**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.5\n\nImpact: An application may be able to execute unsigned code\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2499: George Dan (@theninjaprawn)\n\n\n\n## Additional recognition\n\n**Safari**\n\nWe would like to acknowledge Flyin9_L (ZhenHui Lee) (@ACITSEC) for their assistance.\n", "edition": 2, "modified": "2017-06-26T04:38:16", "published": "2017-06-26T04:38:16", "id": "APPLE:HT207804", "href": "https://support.apple.com/kb/HT207804", "title": "About the security content of Safari 10.1.1 - Apple Support", "type": "apple", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:42:45", "bulletinFamily": "software", "cvelist": ["CVE-2017-6979", "CVE-2017-6998", "CVE-2017-2520", "CVE-2017-7005", "CVE-2017-6996", "CVE-2017-2499", "CVE-2017-2502", "CVE-2017-2531", "CVE-2017-2522", "CVE-2017-6984", "CVE-2017-2549", "CVE-2017-6994", "CVE-2017-2530", "CVE-2017-6995", "CVE-2017-2524", "CVE-2017-2504", "CVE-2017-2515", "CVE-2017-2518", "CVE-2017-2521", "CVE-2017-2505", "CVE-2017-2519", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-6999", "CVE-2017-7003", "CVE-2017-6989", "CVE-2017-6997", "CVE-2017-2501", "CVE-2017-2525", "CVE-2017-2507", "CVE-2017-2513", "CVE-2017-6987", "CVE-2017-2523"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## tvOS 10.2.1\n\nReleased May 15, 2017\n\n**AVEVideoEncoder**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to gain kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6994: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6995: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6996: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6997: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6998: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6999: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nEntry updated May 17, 2017\n\n**CoreAudio**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team\n\n**CoreFoundation**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Parsing maliciously crafted data may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2522: Ian Beer of Google Project Zero\n\nEntry added May 19, 2017\n\n**CoreText**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted file may lead to application termination\n\nDescription: A denial of service issue was addressed through improved validation.\n\nCVE-2017-7003: Jake Davis of SPYSCAPE (@DoubleJake), Jo\u00e3o Henrique Neves and Stephen Goldberg of Salesforce\n\nEntry updated June 7, 2017\n\n**Foundation**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Parsing maliciously crafted data may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2523: Ian Beer of Google Project Zero\n\nEntry added May 19, 2017\n\n**IOSurface**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to gain kernel privileges\n\nDescription: A race condition was addressed through improved locking.\n\nCVE-2017-6979: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nEntry updated May 17, 2017\n\n**JavaScriptCore**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7005: lokihardt of Google Project Zero\n\nEntry added June 9, 2017\n\n**Kernel**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed through improved locking.\n\nCVE-2017-2501: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-2507: Ian Beer of Google Project Zero\n\nCVE-2017-6987: Patrick Wardle of Synack\n\n**SQLite**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: A maliciously crafted SQL query may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-2017-2513: found by OSS-Fuzz\n\n**SQLite**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: A maliciously crafted SQL query may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed through improved memory handling.\n\nCVE-2017-2518: found by OSS-Fuzz\n\nCVE-2017-2520: found by OSS-Fuzz\n\n**SQLite**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: A maliciously crafted SQL query may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2519: found by OSS-Fuzz\n\n**TextInput**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Parsing maliciously crafted data may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2524: Ian Beer of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.\n\nCVE-2017-2504: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-2505: lokihardt of Google Project Zero\n\nCVE-2017-2515: lokihardt of Google Project Zero\n\nCVE-2017-2521: lokihardt of Google Project Zero\n\nCVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent\u2019s Xuanwu Lab (tencent.com) working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2530: Wei Yuan of Baidu Security Lab, Zheng Huang of the Baidu Security Lab working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2531: lokihardt of Google Project Zero\n\nCVE-2017-6980: lokihardt of Google Project Zero\n\nCVE-2017-6984: lokihardt of Google Project Zero\n\nEntry updated June 20, 2017\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues with addressed through improved memory handling.\n\nCVE-2017-2536: Samuel Gro\u00df and Niklas Baumstark working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in frame loading. This issue was addressed with improved state management.\n\nCVE-2017-2549: lokihardt of Google Project Zero\n\n**WebKit Web Inspector**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to execute unsigned code\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2499: George Dan (@theninjaprawn)\n\n\n\n## Additional recognition\n\n**Kernel**\n\n****We would like to acknowledge Orr A. of Aleph Research, HCL Technologies for their assistance.\n", "edition": 2, "modified": "2017-06-21T08:52:03", "published": "2017-06-21T08:52:03", "id": "APPLE:HT207801", "href": "https://support.apple.com/kb/HT207801", "title": "About the security content of tvOS 10.2.1 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:49", "bulletinFamily": "software", "cvelist": ["CVE-2017-6979", "CVE-2017-6998", "CVE-2017-6981", "CVE-2017-2506", "CVE-2017-7004", "CVE-2017-2520", "CVE-2017-7005", "CVE-2017-6996", "CVE-2017-2539", "CVE-2017-2499", "CVE-2017-2502", "CVE-2017-2547", "CVE-2017-2531", "CVE-2017-2522", "CVE-2017-2538", "CVE-2017-6984", "CVE-2017-2549", "CVE-2017-6994", "CVE-2017-2530", "CVE-2017-7000", "CVE-2017-2544", "CVE-2017-2495", "CVE-2017-6995", "CVE-2017-2524", "CVE-2017-2504", "CVE-2017-2515", "CVE-2017-2528", "CVE-2017-2518", "CVE-2017-6982", "CVE-2017-2521", "CVE-2017-7001", "CVE-2017-2505", "CVE-2017-7002", "CVE-2017-2519", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-2496", "CVE-2017-2497", "CVE-2017-2508", "CVE-2017-6999", "CVE-2017-2514", "CVE-2017-7003", "CVE-2017-6983", "CVE-2017-2526", "CVE-2017-6989", "CVE-2017-6997", "CVE-2017-2501", "CVE-2017-2525", "CVE-2017-2510", "CVE-2017-2507", "CVE-2017-2513", "CVE-2017-6991", "CVE-2017-2498", "CVE-2017-6987", "CVE-2017-2523"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iOS 10.3.2\n\nReleased May 15, 2017\n\n**AVEVideoEncoder**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain kernel privileges\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-6989: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6994: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6995: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6996: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6997: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6998: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nCVE-2017-6999: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nEntry updated May 17, 2017\n\n**CoreAudio**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-2502: Yangkang (@dnpushme) of Qihoo360 Qex Team\n\n**CoreFoundation**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Parsing maliciously crafted data may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2522: Ian Beer of Google Project Zero\n\nEntry added May 19, 2017\n\n**CoreText**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted file may lead to application termination\n\nDescription: A denial of service issue was addressed through improved validation.\n\nCVE-2017-7003: Jake Davis of SPYSCAPE (@DoubleJake), Jo\u00e3o Henrique Neves and Stephen Goldberg of Salesforce\n\nEntry added June 7, 2017\n\n**Foundation**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Parsing maliciously crafted data may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2523: Ian Beer of Google Project Zero\n\nEntry added May 19, 2017\n\n**iBooks**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A maliciously crafted book may open arbitrary websites without user permission\n\nDescription: A URL handling issue was addressed through improved state management.\n\nCVE-2017-2497: Jun Kokatsu (@shhnjk)\n\n**iBooks**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with root privileges\n\nDescription: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.\n\nCVE-2017-6981: evi1m0 of YSRC (sec.ly.com)\n\n**IOSurface**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain kernel privileges\n\nDescription: A race condition was addressed through improved locking.\n\nCVE-2017-6979: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nEntry updated May 17, 2017\n\n**JavaScriptCore**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to unexpected application termination or arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7005: lokihardt of Google Project Zero\n\nEntry added June 9, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed through improved locking.\n\nCVE-2017-2501: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-2507: Ian Beer of Google Project Zero\n\nCVE-2017-6987: Patrick Wardle of Synack\n\n**Notifications**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed through improved memory handling.\n\nCVE-2017-6982: Vincent Desmurs (vincedes3), Sem Voigtlander (OxFEEDFACE), and Joseph Shenton of CoffeeBreakers\n\n**Safari**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted webpage may lead to an application denial of service\n\nDescription: An issue in Safari's history menu was addressed through improved memory handling.\n\nCVE-2017-2495: Tubasa Iinuma (@llamakko_cafe) of Gehirn Inc.\n\n**Security**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Update to the certificate trust policy\n\nDescription: A certificate validation issue existed in the handling of untrusted certificates. This issue was addressed through improved user handling of trust acceptance.\n\nCVE-2017-2498: Andrew Jerman\n\n**Security**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A local application may be able to send privileged XPC messages without entitlements\n\nDescription: A race condition was addressed with improved consistency checks.\n\nCVE-2017-7004: Ian Beer of Google Project Zero\n\nEntry added June 8, 2017\n\n**SQLite**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A maliciously crafted SQL query may lead to arbitrary code execution\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-2017-2513: found by OSS-Fuzz\n\n**SQLite**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A maliciously crafted SQL query may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed through improved memory handling.\n\nCVE-2017-2518: found by OSS-Fuzz\n\nCVE-2017-2520: found by OSS-Fuzz\n\n**SQLite**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A maliciously crafted SQL query may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2519: found by OSS-Fuzz\n\n**SQLite**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved input validation.\n\nCVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7000: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7001: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7002: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative\n\nEntry updated May 24, 2017\n\n**TextInput**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Parsing maliciously crafted data may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2524: Ian Beer of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-2496: Apple\n\nCVE-2017-2505: lokihardt of Google Project Zero\n\nCVE-2017-2506: Zheng Huang of the Baidu Security Lab working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2514: lokihardt of Google Project Zero\n\nCVE-2017-2515: lokihardt of Google Project Zero\n\nCVE-2017-2521: lokihardt of Google Project Zero\n\nCVE-2017-2525: Kai Kang (4B5F5F4B) of Tencent\u2019s Xuanwu Lab (tencent.com) working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2526: Kai Kang (4B5F5F4B) of Tencent\u2019s Xuanwu Lab (tencent.com) working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2530: Wei Yuan of Baidu Security Lab, Zheng Huang of the Baidu Security Lab working with Trend Micro\u2019s Zero Day Initiative\n\nCVE-2017-2531: lokihardt of Google Project Zero\n\nCVE-2017-2538: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-2539: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-2544: 360 Security (@mj0011sec) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-2547: lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-6980: lokihardt of Google Project Zero\n\nCVE-2017-6984: lokihardt of Google Project Zero\n\nEntry updated June 20, 2017\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.\n\nCVE-2017-2504: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management.\n\nCVE-2017-2508: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management.\n\nCVE-2017-2510: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management.\n\nCVE-2017-2528: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues with addressed through improved memory handling.\n\nCVE-2017-2536: Samuel Gro\u00df and Niklas Baumstark working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to universal cross site scripting\n\nDescription: A logic issue existed in frame loading. This issue was addressed with improved state management.\n\nCVE-2017-2549: lokihardt of Google Project Zero\n\n**WebKit Web Inspector**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute unsigned code\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-2499: George Dan (@theninjaprawn)\n\n\n\n## Additional recognition\n\n**Kernel**\n\n****We would like to acknowledge Orr A. of Aleph Research, HCL Technologies for their assistance.\n\n**Safari**\n\nWe would like to acknowledge Flyin9_L (ZhenHui Lee) (@ACITSEC) for their assistance.\n", "edition": 2, "modified": "2017-06-20T10:37:14", "published": "2017-06-20T10:37:14", "id": "APPLE:HT207798", "href": "https://support.apple.com/kb/HT207798", "title": "About the security content of iOS 10.3.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-06-07T13:14:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2369", "CVE-2016-7648", "CVE-2016-7646", "CVE-2016-1725", "CVE-2015-2330", "CVE-2016-9643", "CVE-2017-2506", "CVE-2017-2355", "CVE-2016-1728", "CVE-2017-2442", "CVE-2017-2395", "CVE-2016-7599", "CVE-2016-4743", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2016-7623", "CVE-2017-2447", "CVE-2016-7645", "CVE-2017-2366", "CVE-2017-2433", "CVE-2016-7589", "CVE-2017-2459", "CVE-2016-7586", "CVE-2017-2454", "CVE-2017-2471", "CVE-2017-2547", "CVE-2017-2531", "CVE-2016-7640", "CVE-2017-2455", "CVE-2017-6984", "CVE-2017-2365", "CVE-2015-7098", "CVE-2017-2549", "CVE-2017-2470", "CVE-2017-2469", "CVE-2016-1727", "CVE-2017-2464", "CVE-2017-2530", "CVE-2017-2396", "CVE-2016-7642", "CVE-2017-2544", "CVE-2017-2465", "CVE-2016-1723", "CVE-2017-2446", "CVE-2017-2405", "CVE-2017-2475", "CVE-2016-1726", "CVE-2017-2504", "CVE-2017-2468", "CVE-2016-7610", "CVE-2016-7611", "CVE-2017-2515", "CVE-2016-7641", "CVE-2017-2528", "CVE-2017-2376", "CVE-2017-2419", "CVE-2016-7635", "CVE-2017-2371", "CVE-2015-7096", "CVE-2017-2377", "CVE-2017-2521", "CVE-2016-7652", "CVE-2016-7632", "CVE-2017-2505", "CVE-2016-1724", "CVE-2017-2466", "CVE-2017-6980", "CVE-2017-2536", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-2373", "CVE-2017-2508", "CVE-2017-2514", "CVE-2017-2481", "CVE-2016-7598", "CVE-2017-2392", "CVE-2017-2356", "CVE-2016-7649", "CVE-2016-9642", "CVE-2016-7587", "CVE-2017-2415", "CVE-2016-7639", "CVE-2016-7592", "CVE-2016-7656", "CVE-2017-2526", "CVE-2016-4692", "CVE-2017-2525", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-2394", "CVE-2017-2457", "CVE-2017-2367", "CVE-2017-2386", "CVE-2017-2460", "CVE-2017-2445", "CVE-2017-2476", "CVE-2017-2354"], "description": "### Background\n\nWebKitGTK+ is a full-featured port of the WebKit rendering engine.\n\n### Description\n\nMultiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attack can use multiple vectors to execute arbitrary code or cause a denial of service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll WebKitGTK+ users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/webkit-gtk-2.16.3:4\"", "edition": 1, "modified": "2017-06-07T00:00:00", "published": "2017-06-07T00:00:00", "href": "https://security.gentoo.org/glsa/201706-15", "id": "GLSA-201706-15", "title": "WebKitGTK+: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
