Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1422 Apple security update for iCloud 27 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iCloud Publisher: Apple Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-1857 CVE-2021-1825 CVE-2021-1811 CVE-2020-7463 Reference: ESB-2021.1408 Original Bulletin: https://support.apple.com/HT212321 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-04-26-8 iCloud for Windows 12.3 iCloud for Windows 12.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212321. CFNetwork Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A memory initialization issue was addressed with improved memory handling. CVE-2021-1857: an anonymous researcher CoreText Available for: Windows 10 and later via the Microsoft Store Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: A logic issue was addressed with improved state management. CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab WebKit Available for: Windows 10 and later via the Microsoft Store Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: An input validation issue was addressed with improved input validation. CVE-2021-1825: Alex Camboe of Aonâ\x{128}\x{153}s Cyber Solutions WebRTC Available for: Windows 10 and later via the Microsoft Store Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A use after free issue was addressed with improved memory management. CVE-2020-7463: Megan2013678 Additional recognition CoreCrypto We would like to acknowledge Andy Russon of Orange Group for their assistance. Installation note: This update may be obtained from: https://support.apple.com/en-us/HT201391 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCHO4MACgkQZcsbuWJ6 jjCmcA/9EsEvhmXjTOjoXcrN8M2S7sY/C2sYw9eDe7JbbupT6+tb+RAzwHtOZSKv nMhY2rE3XRq+v5dh3wknHrC1vRK1xt3p77wP18zNxcB+KFJ2yU7nZMuWJn54MSO/ 0LutRzl21aal+SFLSNvV7bhz9ey9UtDgUNIzTwUi3tqtAvb/PnLdHAXUbzZCamKK vdnfuWSRSparGrb6BXdFoo9bvuEzyBlksefI1XrOCdMoccWtxW5a2SqzIP2abZH2 MiQK/AkUNpOTw2gd9eFKOzNihCHrdL3KWTfDxkBnX5qLs3MpHRZSYQlZ4JQUwGh3 Fd08XHbmFGWffBjun+F8fz7NowssXdDf7JrGQ/PlnOfzdvJ7H2KX+08Cxi3OdyDP K41j6JS8YzoXK7GH2/o1nEiZKLGVEwFKwnR+ejB9bbvODTaPPZnGKqA8LJ1amnaI Z0RmmRL2FrPpc0mV7lTjc9Sds7BB5ZWxrWVGQosjNSKlJtbkzZsL11sOvJ08En4z JKpyqwR6wGGakIx999B3j02UtCXCkCNxBnQILo2G7a5w4ooUNXhvatAGyuKlbadw 1JX5R5ICBmOcczZurPQJ5HVcAKw52AUtiRn93C0NyJXdQSj9fGgDG2O9jBi5K1G4 I/HQ0uUwdc7bgWlxmEV4oDCFjbkffukaqdFWajnOr9G0srlwRMw= =3JfX - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIedBuNLKJtyKPYoAQhB6A/+OFEYnTHznySYocELdgEg921/SoDdAuwA ZVWnAtBMXd2MIAU9zuEwGLdqediQE+5HJOVdKemcWalrTWEezjgr2kYJuKpmpANk SNgZLPiuhIDyL2uqBTEpyLa5iIN37G1BRVa4tM1lFntc+xzEmaZpwZ7vnYFYC40I RqUy16OMsTyB3vLbX+7D6e6p4jk9vw7ZahPPoOu1/iVAN2wYLqeXbOWs4fFSndGy a/UVsohEkmvATnnlRC+zXUjMCZykqMLW9jL14wJtmrmsn3FTKLw6Z2i5ehvXpHOA f4ZX6mZRGGHxg+xtOTVd8xjrbEPNkvzBrCFIV4d7Cc4Shl3ZdNtlDFoiRXExivsU 36umG51lPLqgUhj9fEohNoViCIgz0rX9tPKw2oyEO+Fw532Rqq2Km+t4IQwfcPNh mM7XjckH5T5A6YkhuKt5BkjmQvoQM1N/mYbYw/Xs3YpFjkSOX7HMy1tL0BnGOvna 0P9quy/lLtb4kaC4edetgAeHvG0FP0kDHsgbNgm5NDn0Xh/qhpCdXyCI8d+rcOZI KTbfJSfUJDhKCdLE+A+MHPljqN1m1kk0ffxhTDzgu8sqQuh/o6a/C4ehvj3+VVXj 1T6jC+Z/IZh5vhIZxwNYhajzWES0R7E0GdvMibJzmafHK913aKfzvOg5T6R4uwiW wRpN5s2Pw0I= =wJ7y -----END PGP SIGNATURE-----