Alerts

Apple security updates

FYI...

Apple security updates
- https://support.apple.com/en-us/HT201222
July 19, 2017

iOS 10.3.3
- https://support.apple.com/en-us/HT207923
July 19, 2017 - "Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation..."
- http://www.securitytracker.com/id/1038950
CVE Reference: CVE-2017-2517, CVE-2017-7006, CVE-2017-7007, CVE-2017-7008, CVE-2017-7009, CVE-2017-7010, CVE-2017-7011, CVE-2017-7012, CVE-2017-7013, CVE-2017-7018, CVE-2017-7019, CVE-2017-7020, CVE-2017-7022, CVE-2017-7023, CVE-2017-7024, CVE-2017-7025, CVE-2017-7026, CVE-2017-7027, CVE-2017-7028, CVE-2017-7029, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7038, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7047, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7058, CVE-2017-7059, CVE-2017-7060, CVE-2017-7061, CVE-2017-7062, CVE-2017-7063, CVE-2017-7064, CVE-2017-7068, CVE-2017-7069, CVE-2017-8248, CVE-2017-9417
Jul 19 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.3.3 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A local user can obtain potentially sensitive information on the target system.
A local user can obtain potentially sensitive information from system memory on the target system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can execute arbitrary code on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site's interface, access data recently submitted by the target user via web form to the interface, or take actions on the interface acting as the target user.
Solution: The vendor has issued a fix (10.3.3)...

macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite
- https://support.apple.com/en-us/HT207922
July 19, 2017
- http://www.securitytracker.com/id/1038951
CVE Reference: CVE-2017-7014, CVE-2017-7015, CVE-2017-7016, CVE-2017-7017, CVE-2017-7021, CVE-2017-7031, CVE-2017-7032, CVE-2017-7033, CVE-2017-7035, CVE-2017-7036, CVE-2017-7044, CVE-2017-7045, CVE-2017-7050, CVE-2017-7051, CVE-2017-7054, CVE-2017-7067
Jul 19 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.12.5 and prior ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
An application can obtain potentially sensitive information from system memory on the target system.
An application can obtain elevated privileges on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.12.6, Security Update 2017-003 El Capitan, Security Update 2017-003 Yosemite).

Safari 10.1.2
- https://support.apple.com/en-us/HT207921
July 19, 2017 - "Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6..."

iTunes 12.6.2 for Windows
- https://support.apple.com/en-us/HT207928
July 19, 2017

iCloud for Windows 6.2.2
- https://support.apple.com/en-us/HT207927
July 19, 2017

tvOS 10.2.2
- https://support.apple.com/en-us/HT207924
July 19, 2017

watchOS 3.2.3
- https://support.apple.com/en-us/HT207925
July 19, 2017

Wi-Fi Update for Boot Camp 6.1
- https://support.apple.com/en-us/HT207940
Published Date: Jul 21, 2017 - "Available for the following machines while running Boot Camp: MacBook Air (Late 2010 and later), MacBook Pro (Late 2010 and later), Mac mini (Mid 2010 and later), iMac (Mid 2010 and later), MacBook (Mid 2010 and later)..."
___

- https://www.us-cert.gov/ncas/current-activity/2017/07/19/Apple-Releases-Security-Updates
July 19, 2017

:fear:
 
Last edited:
Thunderbird 52.3.0 released

FYI...

Thunderbird 52.3.0 released
- https://www.mozilla.org/en-US/thunderbird/52.3.0/releasenotes/
Aug 16, 2017
Fixed:
- Unwanted inline images shown in rogue SPAM messages
- Deleting message from the POP3 server not working when maildir storage was used
- Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later
- Inline images not scaled to fit when printing
- Selected text from another message sometimes included in a reply
- No authorisation prompt displayed when inserting image into email body although image URL requires authentication
- Large attachments taking a long time to open under some circumstances

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download
- https://www.mozilla.org/en-US/thunderbird/all/

> https://www.mozilla.org/en-US/security/advisories/mfsa2017-20/
Critical:
CVE-2017-7800: Use-after-free in WebSockets during disconnection
CVE-2017-7801: Use-after-free with marquee during window resizing
CVE-2017-7779: Memory safety bugs fixed in Firefox 55, Firefox ESR 52.3, and Thunderbird 52.3
___

- https://www.us-cert.gov/ncas/current-activity/2017/08/21/Mozilla-Releases-Security-Update
Aug 21, 2017

:fear:
 
Last edited:
Apple updates - 2017.09.19

FYI...

> https://support.apple.com/en-us/HT201222

iOS 11
- https://support.apple.com/en-us/HT208112
Sep 19, 2017 - "Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation..."
- http://www.securitytracker.com/id/1039385
CVE Reference: CVE-2017-7072, CVE-2017-7085, CVE-2017-7088, CVE-2017-7089, CVE-2017-7097, CVE-2017-7106, CVE-2017-7118, CVE-2017-7133
Sep 19 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 11.0 ...
Impact: A remote user can cause denial of service conditions.
A remote user can spoof the address bar.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (11.0)...

> https://support.apple.com/en-us/HT204204
___

Safari 11
- https://support.apple.com/en-us/HT208116
Sep 19, 2017 - "Available for: OS X El Capitan 10.11.6 and macOS Sierra 10.12.6..."
- http://www.securitytracker.com/id/1039384
CVE Reference: CVE-2017-7085, CVE-2017-7089, CVE-2017-7106
Sep 19 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 11.0 ...
Impact: A remote user can spoof the address bar.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (11.0)...
___

Xcode 9
- https://support.apple.com/en-us/HT208103
Sep 19, 2017 - "Available for: macOS Sierra 10.12.6 or later..."
- http://www.securitytracker.com/id/1039386
CVE Reference: CVE-2017-7076, CVE-2017-7134, CVE-2017-7135, CVE-2017-7136, CVE-2017-7137
Sep 19 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (9.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2017/09/19/Apple-Releases-Security-Updates
Sep 19, 2017

:fear:
 
Last edited:
WordPress 4.8.2 released

FYI...

WordPress 4.8.2 Security and Maintenance Release
- https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Sep 19, 2017 - "WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately..."

Release notes: https://codex.wordpress.org/Version_4.8.2

Change List:
- https://core.trac.wordpress.org/que...type&col=priority&col=keywords&order=priority

> https://wordpress.org/download/release-archive/

Download: https://wordpress.org/download/
___

- https://www.us-cert.gov/ncas/current-activity/2017/09/20/WordPress-Releases-Security-Update
Sep 20, 2017

:fear::fear:
 
Apple updates - 2017.09.25

FYI...

> https://support.apple.com/en-us/HT201222

iCloud for Windows 7.0
- https://support.apple.com/en-us/HT208142
Sep 25, 2017 - "Available for: Windows 7 and later..."
___

macOS High Sierra 10.13
- https://support.apple.com/en-us/HT208144
Sep 25, 2017 - "Available for: OS X Lion 10.8 and later..."
- http://www.securitytracker.com/id/1039427
CVE Reference: CVE-2016-9042, CVE-2016-9063, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-0381, CVE-2017-1000373, CVE-2017-10989, CVE-2017-11103, CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-7074, CVE-2017-7077, CVE-2017-7078, CVE-2017-7080, CVE-2017-7082, CVE-2017-7083, CVE-2017-7084, CVE-2017-7086, CVE-2017-7114, CVE-2017-7119, CVE-2017-7127, CVE-2017-7128, CVE-2017-7129, CVE-2017-7130, CVE-2017-7138, CVE-2017-7141, CVE-2017-7143, CVE-2017-7144, CVE-2017-9233
Sep 25 2017
Fix Available: Yes Vendor Confirmed: Yes ...
Version(s): prior to 10.13 ...
Impact: A remote or local user can cause denial of service conditions on the target system.
A local user can obtain elevated privileges on the target system.
A local user can obtain potentially sensitive information on the target system.
A remote or local user can bypass security controls on the target system.
An application can execute arbitrary code with elevated privileges.
Solution: The vendor has issued a fix (10.13)...
___

macOS Server 5.4
- https://support.apple.com/en-us/HT208102
Sep 25, 2017 - "Available for: macOS High Sierra 10.13..."
___

iTunes 12.7 for Windows
- https://support.apple.com/en-us/HT208141
Sep 12, 2017 ? - "Available for: Windows 7 and later..."
- http://www.securitytracker.com/id/1039428
CVE Reference: CVE-2017-7081, CVE-2017-7087, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120
Sep 25 2017
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass same-origin restrictions on the target system.
A remote user can conduct cross-site scripting attacks.
Solution: The vendor has issued a fix (12.7)...
___

iTunes 12.7
- https://support.apple.com/en-us/HT208140
Sep 12, 2017 ? - "Available for: OS X Yosemite 10.10.5 and later..."
___

- https://www.us-cert.gov/ncas/current-activity/2017/09/25/Apple-Releases-Security-Updates
Sep 25, 2017

:fear:
 
Last edited:
iOS 11.0.1 released

FYI...

> https://support.apple.com/en-us/HT201222

iOS 11.0.1
> https://support.apple.com/en-us/HT208143
Sep 26, 2017 - "iOS 11.0.1 includes the security content of iOS 11."

> https://support.apple.com/en-us/HT204204
___

Apple releases iOS 11.0.1 software update for iPhone and iPad
> https://9to5mac.com/2017/09/26/ios-11-0-1/
Sep 26, 2017 - "Apple has released the first software update to iOS 11 with iOS 11.0.1 for iPhone and iPad. The build comes in at 15A402 (or 15A403), up from 15A372 for iOS 11.0. As a bug fix and performance improvements update, we don’t expect any feature changes in this release. These updates typically make everything run smoother and potentially help with battery life* and any lingering bugs..."
* https://9to5mac.com/2017/09/25/ios-11-battery-life-problems/

>> http://osxdaily.com/2017/09/26/ios-11-0-1-update-download-iphone-ipad/
Sep 26, 2017 - "... It’s unclear if the iOS 11.0.1 software update will address any reported iOS 11 battery life problems, problems with Outlook and Microsoft email, or other issues encountered with the recent iOS 11 release, but the update is recommended to install for everyone on iOS 11, whether or not they are experiencing software issues since updating their iPhone or iPad..."

> https://support.apple.com/en-us/HT208136
Sep 26, 2017 - "You might not be able to send email with an Outlook.com, Office 365, or Exchange account until you update to iOS 11.0.1. If your email account is hosted by Microsoft on Outlook.com or Office 365, or an Exchange Server 2016 running on Windows Server 2016, you might see this error message when you try to send an email with iOS 11: "Cannot Send Mail. The message was rejected by the server." To fix the issue, update to iOS 11.0.1 or later."

> https://www.wandera.com/blog/ios-11-battery-drain/
Sep 21, 2017 - "... Some iPhone and iPad users are reporting installation problems, slow speed, issues with Bluetooth and Wi-Fi and one that caught our eye specifically – faster battery drain..."
>> https://www.wandera.com/wp-content/uploads/2017/09/ios_battery_comp-1200x624.png

> https://ios.gadgethacks.com/how-to/improve-battery-life-your-iphone-ios-11-0177756/
Sep 20, 2017 - "... Check Battery Usage: The first step in treating your battery problem is to see where the problem may be stemming, so head to Settings –> Battery. You should be able to see what apps have been draining your iPhone's battery life over the last 24 hours, as well as another period of time (usually seven days). If you tap on any of the apps in the list, or if you tap the clock icon in the top-right corner next to the time tabs, you will see how much time each app has been used on the screen, as well has how much time the app has spent working in the background..."
___

- https://www.us-cert.gov/ncas/current-activity/2017/09/26/Apple-Releases-Security-Update-iOS
Sep 26, 2017

//
 
Last edited:
Adblock Plus 1.13.4 for Chrome and Opera released

FYI...

Adblock Plus 1.13.4 for Chrome and Opera released
> https://adblockplus.org/releases/adblock-plus-1134-for-chrome-and-opera-released
2017-09-26

Install Adblock Plus 1.13.4 for Chrome ^
Install Adblock Plus 1.13.4 for Opera ^

This release features improvements to the emulation filters, which allow to block ads on Facebook again.
It also includes some bug fixes and changes under the hood..."

:yes:
 
iOS 11.0.2 released

FYI...

> https://support.apple.com/en-us/HT201222

iOS 11.0.2
- https://support.apple.com/en-us/HT208164
Oct 3, 2017 - "iOS 11.0.2 includes the security content of iOS 11."
___

> https://support.apple.com/en-us/HT208067
Oct 3, 2017 - "... iOS 11.0.2 includes bug fixes and improvements for your iPhone or iPad. This update:
- Fixes an issue where crackling sounds may occur during calls for a small number of iPhone 8 and 8 Plus devices
- Addresses an issue that could cause some photos to become hidden
- Fixes an issue where attachments in S/MIME encrypted emails would not open..."
(More detail at the URL above.)
___

>> https://9to5mac.com/2017/10/03/apple-releases-ios-11-0-2-for-iphone-ipad-and-ipod-touch/
Oct. 3 2017 - "Apple has just released iOS 11.0.2 for iPhone, iPad and iPod touch devices. This marks the second bug-fix-update since iOS 11 launched in September. The build number is 15A421.
It looks to be another round of bug fixes and performance improvements, including a fix for crackly audio during phone calls on iPhone 8, a bug that caused some photos not to show up in user’s libraries and resolves an issue relating to attachments in encrypted email...
Apple says the iOS 11.0.2 brings various ‘bug fixes and improvements for iPhone and iPad’.
The minor update is available now for all iOS 11 devices (including the sixth-generation iPod touch).
To update, open Settings on your iOS device and navigate to General -> Software Update. You will need at least 50% battery to perform the update, or be connected to a power outlet.
We’ll keep an eye out for any other changes and enhancements in this latest version of iOS 11. No word yet on battery drain or adverse effects on performance, but we’ll report back if something does arise..."
___

- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apple-Releases-Security-Update-iOS
Oct 3, 2017

:fear::fear:
 
Last edited:
Apple security update - 2017.10.05

FYI...

- https://support.apple.com/en-us/HT201222

macOS High Sierra 10.13 Supplemental Update
- https://support.apple.com/en-us/HT208165
Oct 5, 2017 - "Available for: macOS High Sierra 10.13..."
CVE-2017-7149, CVE-2017-7150
- http://www.securitytracker.com/id/1039513
CVE Reference: CVE-2017-7149
Oct 5 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.13 ...
Impact: A local user can obtain the password for an encrypted APFS volumen on the target system in certain cases.
Solution: The vendor has issued a fix...

> https://support.apple.com/en-us/HT208168
Oct 6, 2017
___

- https://www.us-cert.gov/ncas/curren...le-Releases-Security-Update-macOS-High-Sierra
Oct 05, 2017

:fear::fear:
 
Last edited:
Thunderbird 52.4.0 released

FYI...

Thunderbird 52.4.0 released
- https://www.mozilla.org/en-US/thunderbird/52.4.0/releasenotes/
Oct 6, 2017

New: In Thunderbird 52 a new behavior was introduced for replies to mailing list posts: "When replying to a mailing list, reply will be sent to address in From header ignoring Reply-to header". A new preference mail.override_list_reply_to allows to restore the previous behavior.
Fixed:
- Under certain circumstances (image attachment and non-image attachment), attached images were shown truncated in messages stored in IMAP folders not synchronised for offline use.
- IMAP UIDs > 0x7FFFFFFF not handled properly
- Various security fixes*

* https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird52.4
Oct 9, 2017
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/
Critical:
CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4, and Thunderbird 52.4

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Addons: https://addons.mozilla.org/en-US/thunderbird/

Download
- https://www.mozilla.org/en-US/thunderbird/all/
___

> https://www.us-cert.gov/ncas/current-activity/2017/10/11/Mozilla-Releases-Security-Update
Oct 11, 2017

:fear:
 
Last edited:
WPA2 Vulnerabilities

FYI...

WPA2 Vulnerabilities
> https://www.us-cert.gov/ncas/current-activity/2017/10/16/CERTCC-Reports-WPA2-Vulnerabilities
16 Oct 2017 - "... vulnerabilities are in the WPA2 protocol, not within individual WPA2 implementations, which means that all WPA2 wireless networking may be affected. Mitigations include installing updates to affected products and hosts as they become available. US-CERT encourages users and administrators to review CERT/CC's VU #228519*..."
* https://www.kb.cert.org/vuls/id/228519/
16 Oct 2017 - See: Vendor Information

> https://isc.sans.edu/diary/rss/22932
Oct 16, 2017
___

- https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Oct 16, 2017
> https://w1.fi/security/2017-1/

- https://www.securitytracker.com/id/1039573
CVE Reference: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088
Oct 16 2017
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 2.6 and prior ...
Impact: A remote user on the wireless network can access and modify data on the wireless network.
Solution: The vendor has issued patches, available at:
> https://w1.fi/security/2017-1/
The patches will be included in future release 2.7...

:fear::fear:
 
Last edited:
Apple security updates - 2017.10.31

FYI...

> https://support.apple.com/en-us/HT201222

iOS 11.1
- https://support.apple.com/en-us/HT208222
Oct 31, 2017 - "Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation..."

- https://www.securitytracker.com/id/1039703
CVE Reference: CVE-2017-13080, CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13799, CVE-2017-13802, CVE-2017-13803, CVE-2017-13804, CVE-2017-13805, CVE-2017-13844, CVE-2017-13849, CVE-2017-7113
Oct 31 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 11.1 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify data on the target system.
A remote user can cause the target service to crash.
A local user can obtain potentially sensitive information on the target system.
An application can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (11.1)...
___

Safari 11.1
- https://support.apple.com/en-us/HT208223
Oct 31, 2017 - "Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13..."

- https://www.securitytracker.com/id/1039706
CVE Reference: CVE-2017-13789, CVE-2017-13790
Oct 31 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 11.1 ...
Impact: A remote user can spoof a URL in the address bar.
Solution: The vendor has issued a fix (11.1)...
___

macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan
- https://support.apple.com/en-us/HT208221
Oct 31, 2017 - "Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6..."

- https://www.securitytracker.com/id/1039710
CVE Reference: CVE-2017-13782, CVE-2017-13786, CVE-2017-13800, CVE-2017-13801, CVE-2017-13807, CVE-2017-13808, CVE-2017-13809, CVE-2017-13810, CVE-2017-13811, CVE-2017-13812, CVE-2017-13813, CVE-2017-13814, CVE-2017-13815, CVE-2017-13816, CVE-2017-13817, CVE-2017-13818, CVE-2017-13819, CVE-2017-13820, CVE-2017-13821, CVE-2017-13822, CVE-2017-13823, CVE-2017-13824, CVE-2017-13825, CVE-2017-13828, CVE-2017-13830, CVE-2017-13831, CVE-2017-13832, CVE-2017-13834, CVE-2017-13836, CVE-2017-13838, CVE-2017-13840, CVE-2017-13841, CVE-2017-13842, CVE-2017-13843, CVE-2017-13846, CVE-2017-7132
Nov 1 2017
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A local user can obtain potentially sensitive information on the target system.
A local user can obtain potentially sensitive information from system memory on the target system.
An application can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix...
___

iCloud for Windows 7.1
- https://support.apple.com/en-us/HT208225
Oct 31, 2017 - "Available for: Windows 7 and later..."
___

iTunes 12.7.1 for Windows
- https://support.apple.com/en-us/HT208224
Oct 31, 2017 - "Available for: Windows 7 and later..."
___

tvOS 11.1
- https://support.apple.com/en-us/HT208219
Oct 31, 2017 - "Available for: Apple TV 4K and Apple TV (4th generation)..."
___

watchOS 4.1
- https://support.apple.com/en-us/HT208220
Oct 31, 2017 - "Available for: All Apple Watch models..."
___

- https://www.us-cert.gov/ncas/current-activity/2017/10/31/Apple-Releases-Multiple-Security-Updates
Oct 31, 2017

:fear::fear::fear:
 
Last edited:
Last edited:
Thunderbird 52.5.0 released

FYI...

Thunderbird 52.5.0 released
- https://www.mozilla.org/en-US/thunderbird/52.5.0/releasenotes/
Nov 23, 2017
New: Better support for Charter/Spectrum IMAP: Thunderbird will now detect Charter's IMAP service and send an additional - IMAP select command to the server. Check the various preferences ending in "force_select" to see whether auto-detection has discovered this case.
Fixed:
- In search folders spanning multiple base folders clicking on a message sometimes marked another message as read
- IMAP alerts have been corrected and now show the correct server name in case of connection problems
- POP alerts have been corrected and now indicate connection problems in case the configured POP server cannot be found
- Various security fixes:
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird52.5

> https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/
Critical:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Addons: https://addons.mozilla.org/en-US/thunderbird/

Download
- https://www.mozilla.org/en-US/thunderbird/all/

:fear::fear:
 
Last edited:
Apple Security Update 2017-001 - macOS High Sierra 10.13.1

FYI...

Security Update 2017-001 - macOS High Sierra 10.13.1
- https://support.apple.com/en-us/HT208315
Nov 29, 2017 - "Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872: When you install Security Update 2017-001* on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac**.
* https://support.apple.com/kb/HT201541
** https://support.apple.com/en-us/HT201260
If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update***.
*** https://support.apple.com/en-us/HT204012
If you experience issues with authenticating or connecting to file shares on your Mac after you install this update, you can repair file sharing[4].
4] https://support.apple.com/kb/HT208317
___

- https://www.securitytracker.com/id/1039875
CVE Reference: CVE-2017-13872
Updated: Nov 29 2017
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 10.13 ...
Impact: A local user can obtain root privileges on the target system.
Solution: The vendor has issued a fix...
> https://support.apple.com/en-us/HT208315

> https://www.computerworld.com/artic...pples-shameful-mac-security-flaw-updated.html
Nov 29, 2017
___

> https://www.kb.cert.org/vuls/id/113765
29 Nov 2017

- https://www.us-cert.gov/ncas/curren...le-Releases-Security-Update-macOS-High-Sierra
Nov 29, 2017
___

>> https://blog.malwarebytes.com/cybercrime/2017/11/serious-macos-vulnerability-exposes-the-root-user/
Nov 29, 2017

- https://blog.malwarebytes.com/threat-analysis/2017/12/yet-another-flaw-in-apples-iamroot-bug-fix/
Dec 4, 2017

:fear::fear::fear:
 
Last edited:
WordPress 4.9.1 released

FYI...

WordPress 4.9.1 Security and Maintenance Release
- https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Nov 29, 2017 - "WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately. WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack..."

Download: https://wordpress.org/download/

:fear::fear:
 
iOS 11.2 released

FYI...

iOS 11.2 released
- https://www.theverge.com/2017/12/2/16727166/apple-ios-11-2-features-release
Dec 2, 2017 - "Apple is taking the highly unusual step of releasing a significant iOS update today, just hours after an iOS 11 bug started crashing iPhones. A bug in iOS 11.1.2 started causing iPhones to crash if third-party apps use recurring notifications for things like reminders. Apple is releasing iOS 11.2 today, which addresses the issue and includes a number of new features. Apple usually releases iOS updates on a Tuesday, so this appears to have been issued early to fix the crash bug..."

> https://www.theverge.com/2017/12/2/16727112/iphone-crash-bug-december-2nd-2017
Dec 2, 2017
___

> https://support.apple.com/en-us/HT201222

iOS 11.2 (details available soon) - iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

> https://support.apple.com/en-us/HT204204

:fear::fear:
 
Apple updates - 2017.12.06

FYI...

- https://support.apple.com/en-us/HT201222

iOS 11.2
- https://support.apple.com/en-us/HT208334
Released Dec 2, 2017
IOKit: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2017-13847: Ian Beer of Google Project Zero
IOMobileFrameBuffer: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privilege
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13879: Apple
IOSurface: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13861: Ian Beer of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple
CVE-2017-13876: Ian Beer of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-13833: Brandon Azad
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13867: Ian Beer of Google Project Zero
Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to read restricted memory
Description: Multiple validation issues were addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero
Mail: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: Incorrect certificate is used for encryption
Description: A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate.
CVE-2017-13874: an anonymous researcher
Mail Drafts: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An attacker with a privileged network position may be able to intercept mail
Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control.
CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH
Wi-Fi: Available for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation
Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1.
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
Published Date: Dec 6, 2017
___

macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
- https://support.apple.com/en-us/HT208331
Released Dec 6, 2017
apache: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory
Description: Multiple issues were addressed by updating to version 2.4.28.
CVE-2017-9798
curl: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory
Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.
CVE-2017-1000254: Max Dymond
Directory Utility: Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
Intel Graphics Driver: Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13883: an anonymous researcher
Intel Graphics Driver: Available for: macOS High Sierra 10.13.1
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
CVE-2017-13878: Ian Beer of Google Project Zero
Intel Graphics Driver: Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-13875: Ian Beer of Google Project Zero
IOAcceleratorFamily: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13844: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)
IOKit: Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-13848: Alex Plaskett of MWR InfoSecurity
CVE-2017-13858: an anonymous researcher
IOKit: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2017-13847: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-13833: Brandon Azad
Kernel: Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13876: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13867: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero
Kernel: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero
Mail: Available for: macOS High Sierra 10.13.1
Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-13871: an anonymous researcher
Mail Drafts: Available for: macOS High Sierra 10.13.1
Impact: An attacker with a privileged network position may be able to intercept mail
Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control.
CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH
OpenSSL: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.
CVE-2017-3735: found by OSS-Fuzz
Screen Sharing Server: Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6
Impact: A user with screen sharing access may be able to access any file readable by root
Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.
CVE-2017-13826: Trevor Jacques of Toronto
___

tvOS 11.2
- https://support.apple.com/en-us/HT208327
Released Dec 4, 2017 - "Available for: Apple TV 4K and Apple TV (4th generation)..."
Published Date: Dec 6, 2017
___

watchOS 4.2
- https://support.apple.com/en-us/HT208325
Released Dec 5, 2017 - "Available for: All Apple Watch models..."
Published Date: Dec 6, 2017
___

Safari 11.0.2 - (details available soon)
OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13
6 Dec 2017
___

iTunes 12.7.2 for Windows - (details available soon)
Windows 7 and later
6 Dec 2017
___

- https://www.us-cert.gov/ncas/current-activity/2017/12/06/Apple-Releases-Security-Updates
Dec 06, 2017

:fear::fear::fear::fear:
 
Last edited:
Apple advisories - 2017.12.12-13

FYI...

- https://support.apple.com/en-us/HT201222

iCloud for Windows 7.2
- https://support.apple.com/en-us/HT208328
Dec 13, 2017
APNs Server: Available for: Windows 7 and later
Impact: An attacker in a privileged network position can track a user
Description: A privacy issue existed in the use of client certificates. This issue was addressed through a revised protocol.
CVE-2017-13864: FURIOUSMAC Team of United States Naval Academy
WebKit: Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7156: an anonymous researcher
CVE-2017-7157: an anonymous researcher
CVE-2017-13856: Jeonghoon Shin
CVE-2017-13870: an anonymous researcher
CVE-2017-13866: an anonymous researcher
___

iOS 11.2.1
- https://support.apple.com/en-us/HT208357
Dec 13, 2017
HomeKit: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: A remote attacker may be able to unexpectedly alter application state
Description: A message handling issue was addressed with improved input validation.
CVE-2017-13903

>> https://discussions.apple.com/article/HT208357?filter=qa
Last: December 27, 2017

- https://www.securitytracker.com/id/1040008
CVE Reference: CVE-2017-13903
Dec 13 2017
Fix Available: Yes Vendor Confirmed: Yes
Description: A vulnerability was reported in Apple iOS. A remote user can access and control HomeKit smart accessories.
On systems with shared HomeKit application users, a remote user can send specially crafted data to trigger a state error in the HomeKit application and gain access to the target user's HomeKit-controlled accessories...
Impact: A remote user can access and control HomeKit smart accessories.
Solution: The vendor has issued a fix (11.2.1)...
___

Safari 11.0.2
- https://support.apple.com/en-us/HT208324
WebKit: Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Published Date: Dec 13, 2017

- https://www.securitytracker.com/id/1040012
CVE Reference: CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-7157
Dec 13 2017
Fix Available: Yes Vendor Confirmed: Yes
Description: Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted web content that, when loaded by the target user, will trigger a memory corruption error in the WebKit component to execute arbitrary code [CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-7157].
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (11.0.2)...
___

tvOS 11.2.1
- https://support.apple.com/en-us/HT208359
Dec 13, 2017
HomeKit: Available for: Apple TV 4K and Apple TV (4th generation)
Impact: A remote attacker may be able to unexpectedly alter application state
Description: A message handling issue was addressed with improved input validation.
CVE-2017-13903

- https://www.us-cert.gov/ncas/curren.../Apple-Releases-Security-Updates-iOS-and-tvOS
Dec 13, 2017
___

AirPort Base Station Firmware Update 7.6.9
- https://support.apple.com/en-us/HT208258
Dec 12, 2017
AirPort Base Station Firmware: Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
AirPort Base Station Firmware: Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
___

AirPort Base Station Firmware Update 7.7.9
- https://support.apple.com/en-us/HT208354
Dec 12, 2017
AirPort Base Station Firmware: Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
AirPort Base Station Firmware: Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
AirPort Base Station Firmware: Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
___

- https://www.us-cert.gov/ncas/current-activity/2017/12/12/Apple-Releases-Security-Updates
Dec 12, 2017

:fear::fear:
 
Last edited:
Back
Top