-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0346
                    iCloud for Windows: 7.17 and 10.9.2
                              30 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iCloud for Windows
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Increased Privileges            -- Existing Account
                   Access Confidential Data        -- Existing Account
                   Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Cross-site Scripting            -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3868 CVE-2020-3867 CVE-2020-3865
                   CVE-2020-3862 CVE-2020-3846 CVE-2020-3826
                   CVE-2020-3825  

Original Bulletin: 
   https://support.apple.com/en-au/HT210794
   https://support.apple.com/en-au/HT210795

Comment: This bulletin contains two (2) Apple security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-1-29-1 iCloud for Windows 7.17

iCloud for Windows 7.17 addresses the following:

ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3826: Samuel GroÃ\x{159} of Google Project Zero

libxml2
Available for: Windows 7 and later
Impact: Processing maliciously crafted XML may lead to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3846: Ranier Vilela

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2020-3867: an anonymous researcher

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2020-3825: PrzemysÃ…\x{130}aw Sporysz of Euvic
CVE-2020-3868: Marcin Towalski of Cisco Talos

WebKit
Available for: Windows 7 and later
Impact: A malicious website may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
memory handling.
CVE-2020-3862: Srikanth Gatta of Google Chrome

WebKit Page Loading
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2020-3865: Ryan Pickren (ryanpickren.com)

Installation note:

iCloud for Windows 7.17 may be obtained from:
https://support.apple.com/HT204283

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl4xy2AACgkQBz4uGe3y
0M3Oxw/8CJvsIVoh/3V6SRfu0HGNx0I4PX0UPfV2a90bEMjE6d/X1IRyswy5gbXz
jM7Cj71WAOMTb/LvgteHMo7GrAKK9oypP2SQvatuJKgzzu7G3viRwJGEOzsMisZv
mCJKvgJGnTSfoso8zt3F3x+EwjeOpVgcU4bJyQMBK9LS5uLBWIbkj+F7Z9x8knHv
i/upVc7LYaQotFjb6vM2nzuzo+MR+fv70c4HItXQFeh9lSuQcoHEwxlkHk8WfDPh
TZoQGC8vahYZf9LY1KyH8fIpBEqw1w6gIzLcIVknMjQ/+WtX23wHYWN9dwCikCwo
p/ariH4XwlVNe2DUK148ViEc3CkR0qrJs9063Jd+u3qS0UWVMyXUI9k8wb6lgsnw
/TQTXGTT5s1U6rSShLc2iLqYtGjmTTPAkZ2BsT80TKdE6hgP82a5ph6GM77FjNpD
MkWKhMsI9LyO0g682SG7EUxNbrGk2Wq3HR7LOBDYhAymcXKqlkWZXoKpSILktZEt
Pci8eHxe63JsCMvJiGZOszjQLu8f3VPgFG5PE4fxVv+k0M8C6w9viKTKNj3YVLY6
Spx0tK0e626tBmtP7LtsSxaxZ2W/aIZmFrABPAvLpKoM/LRWx7T6K8cqA4cWDxXj
75lcyho8pm5ekRwwrU4VJ/ZwsNJO16BjM9n2itI1Ol+mvDwU7jw=
=sZy+
- -----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/apple-security-announce%40auscert.org.au

This email sent to apple-security-announce@auscert.org.au

==============================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-1-29-2 iCloud for Windows 10.9.2

iCloud for Windows 10.9.2 is now available and addresses the
following:

ImageIO
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3826: Samuel GroÃ\x{159} of Google Project Zero

libxml2
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted XML may lead to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3846: Ranier Vilela

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2020-3867: an anonymous researcher

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2020-3825: PrzemysÃ…\x{130}aw Sporysz of Euvic
CVE-2020-3868: Marcin Towalski of Cisco Talos

WebKit
Available for: Windows 10 and later via the Microsoft Store
Impact: A malicious website may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
memory handling.
CVE-2020-3862: Srikanth Gatta of Google Chrome

WebKit Page Loading
Available for: Windows 10 and later via the Microsoft Store
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2020-3865: Ryan Pickren (ryanpickren.com)

Installation note:

iCloud for Windows 10.9.2 may be obtained from:
https://support.apple.com/HT204283

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl4x9jMACgkQBz4uGe3y
0M1Apw/+PrQvBheHkxIo2XjPOyTxO+M8mlaU+6gY7Ue14zivPO20JqRLb34FyNfh
iE+RSJ3NB/0cdZIUH1xcrKzK+tmVFVETJaBmLmoTHBy3946DQtUvditLfTHYnYzC
peJbdG4UyevVwf/AoED5iI89lf/ADOWm9Xu0LVtvDKyTAFewQp9oOlG731twL9iI
6ojuzYokYzJSWcDlLMTFB4sDpZsNEz2Crf+WZ44r5bHKcSTi7HzS+OPueQ6dSdqi
Y9ioDv/SB0dnLJZE2wq6eaFL2t7eXelYUSL7SekXI4aYQkhaOQFabutFuYNoOX4e
+ctnbSdVT5WjG7tyg9L7bl4m1q8GgH43OLBmA1Z/gps004PHMQ87cRRjvGGKIQOf
YMI0VBqFc6cAnDYh4Oun31gbg9Y1llYYwTQex7gjx9U+v3FKOaxWxQg8N9y4d2+v
qsStr7HKVKcRE/LyEx4fA44VoKNHyHZ4LtQSeX998MTapyH5XbbHEWr/K4TcJ8ij
6Zv/GkUKeINDJbRFhiMJtGThTw5dba5sfHfVv88NrbNYcwwVQrvlkfMq8Jrn0YEf
rahjCDLigXXbyaqxM57feJ9+y6jHpULeywomGv+QEzyALTdGKIaq7w1pwLdOHizi
Lcxvr8FxmUxydrvFJSUDRa9ELigIsLmgPB3l1UiUmd3AQ38ymJw=
=tRpr
- -----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/apple-security-announce%40auscert.org.au

This email sent to apple-security-announce@auscert.org.au

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjJnR2aOgq3Tt24GAQipwA//Uxm0SCIX1zPi4YSTbJb7LW2UYcp2oF9q
q5d1/eT3xSGbQN11D0eRCIg0ML7TqRV2ABySBMtFI4ioaxBwALXXxuPVn2FbJlIW
Q82t1ANBPeUIFdJ6s3wRGqJ6XNn+Hgc4sSTNorY3P5eeDlfK1PDSL1zPNW0xeArQ
0jApewgKjoHS9XMvay5BkXo9Zxp29RTukk+LIWUMNhm2WaDuHMXD2DR7FOTfSchZ
4hbbz4iXsEMkkdQBJKRGUaPw8W32BbR4OZLc77Kfaji8Xe0mtivrSFhOUvy26Ea0
pAfjUOkWOvYA1LYlxojfAIC0laaMTZquhOmP4FtejhihzBLy8TeweszxACFI2kze
ZM9v/x/5Ijg493TnowJDq6NhBYCxv23b2UxQjcbELf09ssjjrgzHwAuzQtmy6m7l
FxmPH9yhKsdZFnXE6PO8HXqZzEB5/KK68mivI00SzlZsBwkiqaH6ErsULuHL3WHm
6sPXxR5+zJyW7GPH8gVvIPMqFyekdKLiwK5ylIpy7Vfwv9qy4IDnw5r2dPzEARuW
wN2uceIQhuDiXbY7ZUsLZLIpS+M2yrqAyVortRcro2E5SYb9YKM1HSJOApqFAUAP
zVMepJyg4fHnN6xMfpzbNElO1DFBcYhUa6WGY4/DsOsDzQSkicEbTEUfW/q4ujD7
tl2Yzi8omXc=
=7xIN
-----END PGP SIGNATURE-----