macOS High Sierra 10.13
Released September 25, 2017
Application Firewall
Available for: OS X Mountain Lion 10.8 and later
Impact: A previously denied application firewall setting may take effect after upgrading
Description: An upgrade issue existed in the handling of firewall settings. This issue was addressed through improved handling of firewall settings during upgrades.
CVE-2017-7084: an anonymous researcher
AppSandbox
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through improved memory handling.
CVE-2017-7074: Daniel Jalkut of Red Sweater Software
Captive Network Assistant
Available for: OS X Mountain Lion 10.8 and later
Impact: A local user may unknowingly send a password unencrypted over the network
Description: The security state of the captive portal browser was not obvious. This issue was addressed with improved visibility of the captive portal browser security state.
CVE-2017-7143: Matthew Green of Johns Hopkins University
Entry updated October 3, 2017
CFNetwork Proxies
Available for: OS X Mountain Lion 10.8 and later
Impact: An attacker in a privileged network position may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.
CoreAudio
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4.
CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro
Directory Utility
Available for: OS X Mountain Lion 10.8 and later
Impact: A local attacker may be able to determine the Apple ID of the owner of the computer
Description: A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls.
CVE-2017-7138: Daniel Kvak of Masaryk University
Entry updated October 3, 2017
file
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in file
Description: Multiple issues were addressed by updating to version 5.30.
CVE-2017-7121: found by OSS-Fuzz
CVE-2017-7122: found by OSS-Fuzz
CVE-2017-7123: found by OSS-Fuzz
CVE-2017-7124: found by OSS-Fuzz
CVE-2017-7125: found by OSS-Fuzz
CVE-2017-7126: found by OSS-Fuzz
Heimdal
Available for: OS X Mountain Lion 10.8 and later
Impact: An attacker in a privileged network position may be able to impersonate a service
Description: A validation issue existed in the handling of the KDC-REP service name. This issue was addressed through improved validation.
CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams
IOFireWireFamily
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7077: Brandon Azad
IOFireWireFamily
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7119: Xiaolong Bai, Min (Spark) Zheng of Alibaba Inc., Benjamin Gnahm (@mitp0sh) of PDX
Kernel
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7114: Alex Plaskett of MWR InfoSecurity
libc
Available for: OS X Mountain Lion 10.8 and later
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue in glob() was addressed through an improved algorithm.
CVE-2017-7086: Russ Cox of Google
libc
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to cause a denial of service
Description: A memory consumption issue was addressed through improved memory handling.
CVE-2017-1000373
libexpat
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in expat
Description: Multiple issues were addressed by updating to version 2.2.1
CVE-2016-9063
CVE-2017-9233
Mail
Available for: OS X Mountain Lion 10.8 and later
Impact: The sender of an email may be able to determine the IP address of the recipient
Description: Turning off "Load remote content in messages" did not apply to all mailboxes. This issue was addressed with improved setting propagation.
CVE-2017-7141: John Whitehead of The New York Times
Entry updated October 3, 2017
Mail Drafts
Available for: OS X Mountain Lion 10.8 and later
Impact: An attacker with a privileged network position may be able to intercept mail contents
Description: An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted.
CVE-2017-7078: Petter Flink, Pierre ALBARÈDE from Marseille (France), an anonymous researcher
Entry updated October 3, 2017
ntp
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in ntp
Description: Multiple issues were addressed by updating to version 4.2.8p10
CVE-2017-6451: Cure53
CVE-2017-6452: Cure53
CVE-2017-6455: Cure53
CVE-2017-6458: Cure53
CVE-2017-6459: Cure53
CVE-2017-6460: Cure53
CVE-2017-6462: Cure53
CVE-2017-6463: Cure53
CVE-2017-6464: Cure53
CVE-2016-9042: Matthew Van Gundy of Cisco
Screen Lock
Available for: OS X Mountain Lion 10.8 and later
Impact: Application Firewall prompts may appear over Login Window
Description: A window management issue was addressed through improved state management.
CVE-2017-7082: Tim Kingman
Security
Available for: OS X Mountain Lion 10.8 and later
Impact: A revoked certificate may be trusted
Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation.
CVE-2017-7080: Sven Driemecker of adesso mobile solutions gmbh, Rune Darrud (@theflyingcorpse) of Bærum kommune, an anonymous researcher, an anonymous researcher
SQLite
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating to version 3.19.3.
CVE-2017-10989: found by OSS-Fuzz
CVE-2017-7128: found by OSS-Fuzz
CVE-2017-7129: found by OSS-Fuzz
CVE-2017-7130: found by OSS-Fuzz
SQLite
Available for: OS X Mountain Lion 10.8 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7127: an anonymous researcher
zlib
Available for: OS X Mountain Lion 10.8 and later
Impact: Multiple issues in zlib
Description: Multiple issues were addressed by updating to version 1.2.11.
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843