Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0346 iCloud for Windows: 7.17 and 10.9.2 30 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iCloud for Windows Publisher: Apple Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Access Confidential Data -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Cross-site Scripting -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3868 CVE-2020-3867 CVE-2020-3865 CVE-2020-3862 CVE-2020-3846 CVE-2020-3826 CVE-2020-3825 Original Bulletin: https://support.apple.com/en-au/HT210794 https://support.apple.com/en-au/HT210795 Comment: This bulletin contains two (2) Apple security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-1-29-1 iCloud for Windows 7.17 iCloud for Windows 7.17 addresses the following: ImageIO Available for: Windows 7 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-3826: Samuel GroÃ\x{159} of Google Project Zero libxml2 Available for: Windows 7 and later Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow was addressed with improved size validation. CVE-2020-3846: Ranier Vilela WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-3867: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2020-3825: PrzemysÅ\x{130}aw Sporysz of Euvic CVE-2020-3868: Marcin Towalski of Cisco Talos WebKit Available for: Windows 7 and later Impact: A malicious website may be able to cause a denial of service Description: A denial of service issue was addressed with improved memory handling. CVE-2020-3862: Srikanth Gatta of Google Chrome WebKit Page Loading Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2020-3865: Ryan Pickren (ryanpickren.com) Installation note: iCloud for Windows 7.17 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl4xy2AACgkQBz4uGe3y 0M3Oxw/8CJvsIVoh/3V6SRfu0HGNx0I4PX0UPfV2a90bEMjE6d/X1IRyswy5gbXz jM7Cj71WAOMTb/LvgteHMo7GrAKK9oypP2SQvatuJKgzzu7G3viRwJGEOzsMisZv mCJKvgJGnTSfoso8zt3F3x+EwjeOpVgcU4bJyQMBK9LS5uLBWIbkj+F7Z9x8knHv i/upVc7LYaQotFjb6vM2nzuzo+MR+fv70c4HItXQFeh9lSuQcoHEwxlkHk8WfDPh TZoQGC8vahYZf9LY1KyH8fIpBEqw1w6gIzLcIVknMjQ/+WtX23wHYWN9dwCikCwo p/ariH4XwlVNe2DUK148ViEc3CkR0qrJs9063Jd+u3qS0UWVMyXUI9k8wb6lgsnw /TQTXGTT5s1U6rSShLc2iLqYtGjmTTPAkZ2BsT80TKdE6hgP82a5ph6GM77FjNpD MkWKhMsI9LyO0g682SG7EUxNbrGk2Wq3HR7LOBDYhAymcXKqlkWZXoKpSILktZEt Pci8eHxe63JsCMvJiGZOszjQLu8f3VPgFG5PE4fxVv+k0M8C6w9viKTKNj3YVLY6 Spx0tK0e626tBmtP7LtsSxaxZ2W/aIZmFrABPAvLpKoM/LRWx7T6K8cqA4cWDxXj 75lcyho8pm5ekRwwrU4VJ/ZwsNJO16BjM9n2itI1Ol+mvDwU7jw= =sZy+ - -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/security-announce/apple-security-announce%40auscert.org.au This email sent to apple-security-announce@auscert.org.au ============================================================================== - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-1-29-2 iCloud for Windows 10.9.2 iCloud for Windows 10.9.2 is now available and addresses the following: ImageIO Available for: Windows 10 and later via the Microsoft Store Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-3826: Samuel GroÃ\x{159} of Google Project Zero libxml2 Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow was addressed with improved size validation. CVE-2020-3846: Ranier Vilela WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-3867: an anonymous researcher WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2020-3825: PrzemysÅ\x{130}aw Sporysz of Euvic CVE-2020-3868: Marcin Towalski of Cisco Talos WebKit Available for: Windows 10 and later via the Microsoft Store Impact: A malicious website may be able to cause a denial of service Description: A denial of service issue was addressed with improved memory handling. CVE-2020-3862: Srikanth Gatta of Google Chrome WebKit Page Loading Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2020-3865: Ryan Pickren (ryanpickren.com) Installation note: iCloud for Windows 10.9.2 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl4x9jMACgkQBz4uGe3y 0M1Apw/+PrQvBheHkxIo2XjPOyTxO+M8mlaU+6gY7Ue14zivPO20JqRLb34FyNfh iE+RSJ3NB/0cdZIUH1xcrKzK+tmVFVETJaBmLmoTHBy3946DQtUvditLfTHYnYzC peJbdG4UyevVwf/AoED5iI89lf/ADOWm9Xu0LVtvDKyTAFewQp9oOlG731twL9iI 6ojuzYokYzJSWcDlLMTFB4sDpZsNEz2Crf+WZ44r5bHKcSTi7HzS+OPueQ6dSdqi Y9ioDv/SB0dnLJZE2wq6eaFL2t7eXelYUSL7SekXI4aYQkhaOQFabutFuYNoOX4e +ctnbSdVT5WjG7tyg9L7bl4m1q8GgH43OLBmA1Z/gps004PHMQ87cRRjvGGKIQOf YMI0VBqFc6cAnDYh4Oun31gbg9Y1llYYwTQex7gjx9U+v3FKOaxWxQg8N9y4d2+v qsStr7HKVKcRE/LyEx4fA44VoKNHyHZ4LtQSeX998MTapyH5XbbHEWr/K4TcJ8ij 6Zv/GkUKeINDJbRFhiMJtGThTw5dba5sfHfVv88NrbNYcwwVQrvlkfMq8Jrn0YEf rahjCDLigXXbyaqxM57feJ9+y6jHpULeywomGv+QEzyALTdGKIaq7w1pwLdOHizi Lcxvr8FxmUxydrvFJSUDRa9ELigIsLmgPB3l1UiUmd3AQ38ymJw= =tRpr - -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/security-announce/apple-security-announce%40auscert.org.au This email sent to apple-security-announce@auscert.org.au - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjJnR2aOgq3Tt24GAQipwA//Uxm0SCIX1zPi4YSTbJb7LW2UYcp2oF9q q5d1/eT3xSGbQN11D0eRCIg0ML7TqRV2ABySBMtFI4ioaxBwALXXxuPVn2FbJlIW Q82t1ANBPeUIFdJ6s3wRGqJ6XNn+Hgc4sSTNorY3P5eeDlfK1PDSL1zPNW0xeArQ 0jApewgKjoHS9XMvay5BkXo9Zxp29RTukk+LIWUMNhm2WaDuHMXD2DR7FOTfSchZ 4hbbz4iXsEMkkdQBJKRGUaPw8W32BbR4OZLc77Kfaji8Xe0mtivrSFhOUvy26Ea0 pAfjUOkWOvYA1LYlxojfAIC0laaMTZquhOmP4FtejhihzBLy8TeweszxACFI2kze ZM9v/x/5Ijg493TnowJDq6NhBYCxv23b2UxQjcbELf09ssjjrgzHwAuzQtmy6m7l FxmPH9yhKsdZFnXE6PO8HXqZzEB5/KK68mivI00SzlZsBwkiqaH6ErsULuHL3WHm 6sPXxR5+zJyW7GPH8gVvIPMqFyekdKLiwK5ylIpy7Vfwv9qy4IDnw5r2dPzEARuW wN2uceIQhuDiXbY7ZUsLZLIpS+M2yrqAyVortRcro2E5SYb9YKM1HSJOApqFAUAP zVMepJyg4fHnN6xMfpzbNElO1DFBcYhUa6WGY4/DsOsDzQSkicEbTEUfW/q4ujD7 tl2Yzi8omXc= =7xIN -----END PGP SIGNATURE-----