#VU11213 Memory corruption in Apple Inc. products - CVE-2017-7160


| Updated: 2018-03-22

Vulnerability identifier: #VU11213

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-7160

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apple iOS
Operating systems & Components / Operating system
Apple Safari
Client/Desktop applications / Web browsers
iCloud for Windows
Client/Desktop applications / Other client software
iTunes
Client/Desktop applications / Multimedia software

Vendor: Apple Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote attacker can trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to versions iOS 11.2, Safari 11.0.2, iCloud 7.2 on Windows, iTunes 12.7.2 on Windows or tvOS 11.2.

Vulnerable software versions

Apple iOS: 11.0.0 - 11.0.3, 11.1 - 11.1.2

Apple Safari: 11.0 - 11.0.1

iCloud for Windows: 7.0 - 7.1

iTunes: 12.0 - 12.7.1

External links
https://support.apple.com/ru-ru/HT208324
https://support.apple.com/ru-ru/HT208326
https://support.apple.com/ru-ru/HT208327
https://support.apple.com/ru-ru/HT208328
https://support.apple.com/ru-ru/HT208334

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for webkit2gtk3
Gentoo update for WebKitGTK+
Ubuntu update for WebKitGTK+