An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information. This issue is fixed in macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan. Sharing contact information may lead to unexpected data sharing.

Released December 6, 2017

**APFS**

Available for: macOS High Sierra 10.13.1

Impact: APFS encryption keys may not be securely deleted after hibernating

Description: A logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.

CVE-2017-13887: David Ryskalczyk

Entry added June 21, 2018

**apache**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory

Description: Multiple issues were addressed by updating to version 2.4.28.

CVE-2017-9798: Hanno Böck

Entry updated December 18, 2018

**Auto Unlock**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2017-13905: Samuel Groß (@5aelo)

Entry added October 18, 2018

**CFNetwork Session**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative

Entry added January 22, 2018

**Contacts**

Available for: macOS High Sierra 10.13.1

Impact: Sharing contact information may lead to unexpected data sharing

Description: An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information. 

CVE-2017-13892: Ryan Manly of Glenbrook High School District 225

Entry added October 18, 2018

**CoreAnimation**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with elevated privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen\_lab) working with Trend Micro's Zero Day Initiative

Entry added January 22, 2018

**CoreFoundation**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CVE-2017-7151: Samuel Groß (@5aelo)

Entry added October 18, 2018

**curl**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory

Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.

CVE-2017-1000254: Max Dymond

**Directory Utility**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier 

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

**ICU**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: An integer overflow was addressed through improved input validation.

CVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab

Entry added March 14, 2018

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13883: Yu Wang of Didi Research America

CVE-2017-7163: Yu Wang of Didi Research America

CVE-2017-7155: Yu Wang of Didi Research America

Entry updated December 21, 2017 

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.1

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.

CVE-2017-13878: Ian Beer of Google Project Zero

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2017-13875: Ian Beer of Google Project Zero

**IOAcceleratorFamily**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-7159: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)

Entry updated December 21, 2017 

**IOKit**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with system privileges

Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.

CVE-2017-13848: Alex Plaskett of MWR InfoSecurity

CVE-2017-13858: an anonymous researcher

**IOKit**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with system privileges

Description: Multiple memory corruption issues were addressed through improved state management.

CVE-2017-13847: Ian Beer of Google Project Zero

**IOKit**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-7162: Tencent Keen Security Lab (@keen\_lab) working with Trend Micro's Zero Day Initiative

Entry updated January 10, 2018

**Kernel**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13904: Kevin Backhouse of Semmle Ltd.

Entry added February 14, 2018

**Kernel**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to read kernel memory (Meltdown)

Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

CVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)

Entry updated January 5, 2018

**Kernel**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13862: Apple

CVE-2017-13867: Ian Beer of Google Project Zero

Entry updated December 21, 2017 

**Kernel**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2017-7173: Brandon Azad

Entry updated January 11, 2018

**Kernel**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13876: Ian Beer of Google Project Zero

**Kernel**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: A type confusion issue was addressed with improved memory handling.

CVE-2017-13855: Jann Horn of Google Project Zero

**Kernel**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13865: Ian Beer of Google Project Zero

**Kernel**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13868: Brandon Azad

CVE-2017-13869: Jann Horn of Google Project Zero

**Kernel**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.

CVE-2017-7154: Jann Horn of Google Project Zero

Entry added December 21, 2017

**Mail**

Available for: macOS High Sierra 10.13.1

Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2017-13871: Lukas Pitschl of GPGTools

Entry updated December 21, 2017

**Mail Drafts**

Available for: macOS High Sierra 10.13.1

Impact: An attacker with a privileged network position may be able to intercept mail

Description: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.

CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH

Entry updated January 10, 2018

**OpenSSL**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.

CVE-2017-3735: found by OSS-Fuzz

**Perl**

Available for: macOS Sierra 10.12.6

Impact: This bugs can allow remote attackers to cause a denial of service

Description: Public CVE-2017-12837 was addressed by updating the function in Perl 5.18

CVE-2017-12837: Jakub Wilk

Entry added October 18, 2018

**Screen Sharing Server**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1

Impact: A user with screen sharing access may be able to access any file readable by root

Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.

CVE-2017-7158: Trevor Jacques of Toronto

Entry updated December 21, 2017

**SIP**

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A configuration issue was addressed with additional restrictions.

CVE-2017-13911: Timothy Perfitt of Twocanoes Software

Entry updated August 8, 2018, updated September 25, 2018

**Wi-Fi**

Available for: macOS High Sierra 10.13.1

Impact: An unprivileged user may change Wi-Fi system parameters leading to denial of service

Description: An access issue existed with privileged Wi-Fi system configuration. This issue was addressed with additional restrictions.

CVE-2017-13886: David Kreitschmann and Matthias Schulz of Secure Mobile Networking Lab at TU Darmstadt

Entry added May 2, 2018

CVE-2017-13892: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan, macOS High Sierra 10.13. A malicious application may be able to elevate privileges.

Released October 31, 2017

**apache**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Multiple issues in Apache

Description: Multiple issues were addressed by updating to version 2.4.27.

CVE-2016-0736

CVE-2016-2161

CVE-2016-5387

CVE-2016-8740

CVE-2016-8743

CVE-2017-3167

CVE-2017-3169

CVE-2017-7659

CVE-2017-7668

CVE-2017-7679

CVE-2017-9788

CVE-2017-9789

Entry updated November 14, 2017

**APFS**

Available for: macOS High Sierra 10.13

Impact: A malicious Thunderbolt adapter may be able to recover unencrypted APFS filesystem data

Description: An issue existed in the handling of DMA. This issue was addressed by limiting the time the FileVault decryption buffers are DMA mapped to the duration of the I/O operation.

CVE-2017-13786: Dmytro Oleksiuk

Entry updated November 10, 2017

**APFS**

Available for: macOS High Sierra 10.13

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13800: Sergej Schumilo of Ruhr-University Bochum

**AppleScript**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Decompiling an AppleScript with osadecompile may lead to arbitrary code execution

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13809: bat0s

Entry updated November 10, 2017

**ATS**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: A memory corruption issue was addressed with improved input validation.

CVE-2017-13820: John Villamil, Doyensec

**Audio**

Available for: macOS Sierra 10.12.6

Impact: Parsing a maliciously crafted QuickTime file may lead to an unexpected application termination or arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2017-13807: Yangkang (@dnpushme) of Qihoo 360 Qex Team

Entry updated January 22, 2019

**CFNetwork**

Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13829: Niklas Baumstark and Samuel Gro working with Trend Micro's Zero Day Initiative 

CVE-2017-13833: Niklas Baumstark and Samuel Gro working with Trend Micro's Zero Day Initiative

Entry added November 10, 2017

**CFString**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13821: Australian Cyber Security Centre – Australian Signals Directorate

**CoreText**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2017-13825: Australian Cyber Security Centre – Australian Signals Directorate

Entry updated November 16, 2018

**curl**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Uploading using TFTP to a maliciously crafted URL with libcurl may disclose application memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2017-1000100: Even Rouault, found by OSS-Fuzz

**curl**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Processing a maliciously crafted URL with libcurl may cause unexpected application termination or read process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2017-1000101: Brian Carpenter, Yongji Ouyang

**Dictionary Widget**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Searching pasted text in the Dictionary widget may lead to compromise of user information

Description: A validation issue existed which allowed local file access. This was addressed with input sanitization.

CVE-2017-13801: xisigr of Tencent's Xuanwu Lab (tencent.com)

**file**

Available for: macOS Sierra 10.12.6

Impact: Multiple issues in file

Description: Multiple issues were addressed by updating to version 5.31.

CVE-2017-13815: found by OSS-Fuzz

Entry updated October 18, 2018

**Fonts**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Rendering untrusted text may lead to spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2017-13828: Leonard Grey and Robert Sesek of Google Chrome

Entry updated November 10, 2017

**fsck\_msdos**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13811: V.E.O. (@VYSEa) of Mobile Advanced Threat Team of Trend Micro

Entry updated November 2, 2017

**HFS**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13830: Sergej Schumilo of Ruhr-University Bochum

**Heimdal**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An attacker in a privileged network position may be able to impersonate a service

Description: A validation issue existed in the handling of the KDC-REP service name. This issue was addressed with improved validation.

CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams

Entry updated January 22, 2019

**HelpViewer**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: A quarantined HTML file may execute arbitrary JavaScript cross-origin

Description: A cross-site scripting issue existed in HelpViewer. This issue was addressed by removing the affected file.

CVE-2017-13819: Filippo Cavallarin of SecuriTeam Secure Disclosure

Entry updated November 10, 2017

**ImageIO**

Available for: macOS Sierra 10.12.6

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2017-13814: Australian Cyber Security Centre – Australian Signals Directorate

Entry updated November 16, 2018

**ImageIO**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A memory corruption issue was addressed with improved input validation.

CVE-2017-13831: Glen Carmichael

Entry updated April 3, 2019

**IOAcceleratorFamily**

Available for: macOS Sierra 10.12.6

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13906

Entry added October 18, 2018

**Kernel**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: A local user may be able to leak sensitive user information

Description: A permissions issue existed in kernel packet counters. This issue was addressed with improved permission validation.

CVE-2017-13810: Zhiyun Qian of University of California, Riverside

Entry updated January 22, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: A local user may be able to read kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2017-13817: Maxime Villard (m00nbsd)

**Kernel**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13818: The UK's National Cyber Security Centre (NCSC)

CVE-2017-13836: Vlad Tsyrklevich

CVE-2017-13841: Vlad Tsyrklevich

CVE-2017-13840: Vlad Tsyrklevich

CVE-2017-13842: Vlad Tsyrklevich

CVE-2017-13782: Kevin Backhouse of Semmle Ltd.

Entry updated June 18, 2018

**Kernel**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13843: an anonymous researcher, an anonymous researcher

**Kernel**

Available for: macOS Sierra 10.12.6

Impact: Processing a malformed mach binary may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2017-13834: Maxime Villard (m00nbsd)

Entry updated January 22, 2019

**Kernel**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13799: Lufeng Li of Qihoo 360 Vulcan Team

Entry updated November 10, 2017

**Kernel**

Available for: macOS High Sierra 10.13

Impact: A malicious application may be able to learn information about the presence and operation of other applications on the device.

Description: An application was able to access process information maintained by the operating system unrestricted. This issue was addressed with rate limiting.

CVE-2017-13852: Xiaokuan Zhang and Yinqian Zhang of The Ohio State University, Xueqiang Wang and XiaoFeng Wang of Indiana University Bloomington, and Xiaolong Bai of Tsinghua University

Entry added November 10, 2017, updated January 22, 2019

**libarchive**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2017-13813: found by OSS-Fuzz

Entry updated November 16, 2018, updated January 22, 2019

**libarchive**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2017-13812: found by OSS-Fuzz

Entry updated January 22, 2019

**libarchive**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2016-4736: Proteas of Qihoo 360 Nirvan Team

Entry updated December 21, 2017

**libxml2**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A null pointer dereference was addressed with improved validation.

CVE-2017-5969: Gustavo Grieco

Entry added October 18, 2018

**libxml2**

Available for: OS X El Capitan 10.11.6

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2017-5130: an anonymous researcher

CVE-2017-7376: an anonymous researcher

Entry added October 18, 2018

**libxml2**

Available for: macOS Sierra 10.12.6

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2017-9050: Mateusz Jurczyk (j00ru) of Google Project Zero

Entry added October 18, 2018

**libxml2**

Available for: macOS Sierra 10.12.6

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2017-9049: Wei Lei and Liu Yang - Nanyang Technological University in Singapore

Entry added October 18, 2018

**LinkPresentation**

Available for: macOS High Sierra 10.13

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2018-4390: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter

CVE-2018-4391: Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter

Entry added November 16, 2018

**Login Window**

Available for: macOS High Sierra 10.13

Impact: The screen lock may unexpectedly remain unlocked

Description: A state management issue was addressed with improved state validation.

CVE-2017-13907: an anonymous researcher

Entry added October 18, 2018

**Open Scripting Architecture**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Decompiling an AppleScript with osadecompile may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13824: an anonymous researcher

**PCRE**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Multiple issues in pcre

Description: Multiple issues were addressed by updating to version 8.40.

CVE-2017-13846

**Postfix**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Multiple issues in Postfix

Description: Multiple issues were addressed by updating to version 3.2.2.

CVE-2017-10140: an anonymous researcher

Entry updated November 17, 2017

**Quick Look**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13822: Australian Cyber Security Centre – Australian Signals Directorate

**Quick Look**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2017-7132: Australian Cyber Security Centre – Australian Signals Directorate

Entry updated January 22, 2019

**QuickTime**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13823: Xiangkun Jia of Institute of Software Chinese Academy of Sciences

Entry updated November 10, 2017

**Remote Management**

Available for: macOS Sierra 10.12.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13808: an anonymous researcher

**Sandbox**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13838: Alastair Houghton

Entry updated November 10, 2017

**Security**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: An authorization issue was addressed with improved state management.

CVE-2017-7170: Patrick Wardle of Synack

Entry added January 11, 2018

**Security**

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: A malicious application can extract keychain passwords

Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.

CVE-2017-7150: Patrick Wardle of Synack

Entry added November 17, 2017

**SMB**

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6

Impact: A local attacker may be able to execute non-executable text files via an SMB share

Description: An issue in handling file permissions was addressed with improved validation.

CVE-2017-13908: an anonymous researcher

Entry added October 18, 2018

**StreamingZip**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: A malicious zip file may be able modify restricted areas of the file system

Description: A path handling issue was addressed with improved validation.

CVE-2017-13804: @qwertyoruiopz at KJC Research Intl. S.R.L.

**tcpdump**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6

Impact: Multiple issues in tcpdump

Description: Multiple issues were addressed by updating to version 4.9.2.

CVE-2017-11108

CVE-2017-11541

CVE-2017-11542

CVE-2017-11543

CVE-2017-12893

CVE-2017-12894

CVE-2017-12895

CVE-2017-12896

CVE-2017-12897

CVE-2017-12898

CVE-2017-12899

CVE-2017-12900

CVE-2017-12901

CVE-2017-12902

CVE-2017-12985

CVE-2017-12986

CVE-2017-12987

CVE-2017-12988

CVE-2017-12989

CVE-2017-12990

CVE-2017-12991

CVE-2017-12992

CVE-2017-12993

CVE-2017-12994

CVE-2017-12995

CVE-2017-12996

CVE-2017-12997

CVE-2017-12998

CVE-2017-12999

CVE-2017-13000

CVE-2017-13001

CVE-2017-13002

CVE-2017-13003

CVE-2017-13004

CVE-2017-13005

CVE-2017-13006

CVE-2017-13007

CVE-2017-13008

CVE-2017-13009

CVE-2017-13010

CVE-2017-13011

CVE-2017-13012

CVE-2017-13013

CVE-2017-13014

CVE-2017-13015

CVE-2017-13016

CVE-2017-13017

CVE-2017-13018

CVE-2017-13019

CVE-2017-13020

CVE-2017-13021

CVE-2017-13022

CVE-2017-13023

CVE-2017-13024

CVE-2017-13025

CVE-2017-13026

CVE-2017-13027

CVE-2017-13028

CVE-2017-13029

CVE-2017-13030

CVE-2017-13031

CVE-2017-13032

CVE-2017-13033

CVE-2017-13034

CVE-2017-13035

CVE-2017-13036

CVE-2017-13037

CVE-2017-13038

CVE-2017-13039

CVE-2017-13040

CVE-2017-13041

CVE-2017-13042

CVE-2017-13043

CVE-2017-13044

CVE-2017-13045

CVE-2017-13046

CVE-2017-13047

CVE-2017-13048

CVE-2017-13049

CVE-2017-13050

CVE-2017-13051

CVE-2017-13052

CVE-2017-13053

CVE-2017-13054

CVE-2017-13055

CVE-2017-13687

CVE-2017-13688

CVE-2017-13689

CVE-2017-13690

CVE-2017-13725

**Wi-Fi**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK)

Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven

CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven

Entry updated November 3, 2017

**Wi-Fi**

Available for: macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)

Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven

Entry updated November 3, 2017

CVE-2017-13906: About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, watchOS 8.3. A local user may be able to modify protected parts of the file system.

Released December 13, 2021

**Archive Utility**

Available for: macOS Catalina

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved state management.

CVE-2021-30950: @gorelics

**Bluetooth**

Available for: macOS Catalina

Impact: A malicious application may be able to disclose kernel memory

Description: A logic issue was addressed with improved validation.

CVE-2021-30931: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Catalina

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved validation.

CVE-2021-30935: an anonymous researcher

**ColorSync**

Available for: macOS Catalina

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue in the processing of ICC profiles was addressed with improved input validation.

CVE-2021-30942: Mateusz Jurczyk of Google Project Zero

**CoreAudio**

Available for: macOS Catalina

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-30958: JunDong Xie of Ant Security Light-Year Lab

**CoreAudio**

Available for: macOS Catalina

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30959: JunDong Xie of Ant Security Light-Year Lab

CVE-2021-30961: an anonymous researcher

CVE-2021-30963: JunDong Xie of Ant Security Light-Year Lab

**Crash Reporter**

Available for: macOS Catalina

Impact: A local attacker may be able to elevate their privileges

Description: This issue was addressed with improved checks.

CVE-2021-30945: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Graphics Drivers**

Available for: macOS Catalina

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2021-30977: Jack Dates of RET2 Systems, Inc.

**Help Viewer**

Available for: macOS Catalina

Impact: Processing a maliciously crafted URL may cause unexpected JavaScript execution from a file on disk

Description: A path handling issue was addressed with improved validation.

CVE-2021-30969: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**ImageIO**

Available for: macOS Catalina

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30939: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin (@patch1t) of Trend Micro

**Intel Graphics Driver**

Available for: macOS Catalina

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2021-30981: an anonymous researcher, Liu Long of Ant Security Light-Year Lab

**IOUSBHostFamily**

Available for: macOS Catalina

Impact: A remote attacker may be able to cause unexpected application termination or heap corruption

Description: A race condition was addressed with improved locking.

CVE-2021-30982: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

**Kernel**

Available for: macOS Catalina

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30927: Xinru Chi of Pangu Lab

CVE-2021-30980: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Catalina

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2021-30937: Sergei Glazunov of Google Project Zero

**Kernel**

Available for: macOS Catalina

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2021-30949: Ian Beer of Google Project Zero

**LaunchServices**

Available for: macOS Catalina

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved validation.

CVE-2021-30990: Ron Masas of BreakPoint.sh

**LaunchServices**

Available for: macOS Catalina

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved state management.

CVE-2021-30976: chenyuwang (@mzzzz\_\_) and Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2021-30929: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30979: Mickey Jin (@patch1t) of Trend Micro

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30940: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

CVE-2021-30941: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-30973: Ye Zhang (@co0py\_Cat) of Baidu Security

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2021-30971: Ye Zhang (@co0py\_Cat) of Baidu Security

**Preferences**

Available for: macOS Catalina

Impact: A malicious application may be able to elevate privileges

Description: A race condition was addressed with improved state handling.

CVE-2021-30995: Mickey Jin (@patch1t) of Trend Micro, Mickey Jin (@patch1t)

**Sandbox**

Available for: macOS Catalina

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: A validation issue related to hard link behavior was addressed with improved sandbox restrictions.

CVE-2021-30968: Csaba Fitzl (@theevilbit) of Offensive Security

**Script Editor**

Available for: macOS Catalina

Impact: A malicious OSAX scripting addition may bypass Gatekeeper checks and circumvent sandbox restrictions

Description: This issue was addressed by disabling execution of JavaScript when viewing a scripting dictionary.

CVE-2021-30975: Ryan Pickren (ryanpickren.com)

**TCC**

Available for: macOS Catalina

Impact: A local user may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2021-30767: @gorelics

**TCC**

Available for: macOS Catalina

Impact: A malicious application may be able to cause a denial of service to Endpoint Security clients

Description: A logic issue was addressed with improved state management.

CVE-2021-30965: Csaba Fitzl (@theevilbit) of Offensive Security

**Wi-Fi**

Available for: macOS Catalina

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: This issue was addressed with improved checks.

CVE-2021-30938: Xinru Chi of Pangu Lab

CVE-2021-30767: About the security content of Security Update 2021-008 Catalina

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

**Chrome Releases**

Release updates from the Chrome team

CVE-2021-4052: Stable Channel Update for Desktop

Out of bounds write in WebRTC in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via crafted WebRTC packets.

CVE-2021-4079: Stable Channel Update for Desktop

Inappropriate implementation in WebAuthentication in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2021-38022: 1248862 - chromium - An open-source project to help move the web forward.

Inappropriate implementation in referrer in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2021-38021: Stable Channel Update for Desktop

Use after free in loader in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-38005: 1241091 - chromium - An open-source project to help move the web forward.

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “_**FOR RESTORE SEND 0.1 BITCOIN**_” were sitting at 6 last week and increased to 291 at the time of writing this. Upon visiting their website webmasters have been met with an alarming message:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/siteencrypted.png)

SITE ENCRYPTED

FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc

(create file on site /unlock .txt with transaction key inside)

The warning indicated that the website was hit with a ransomware attack. The files were reported to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin. While the price of Bitcoin is extremely volatile, at the time of writing this article that would clock in at a whopping $6,000+ USD

![](https://blog.sucuri.net/wp-content/uploads/2021/11/bitcoinexchange.png)

Not a negligible sum of money for an average website owner, to say the least! Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look.

**Past Cases of Website Ransomware**

This would certainly not be our first time seeing websites impacted by ransomware. Typically ransomware affects endpoint devices, sometimes entire businesses and institutions. In fact, as I type this the entire provincial health care system of Newfoundland has been brought to its knees with thousands of delayed surgeries due to a crippling suspected ransomware attack.

Starting at the beginning of 2016 we saw some examples of website files themselves being encrypted by attackers with a ransom being demanded, which we wrote about on our blog at the time. This was pretty short lived, however. Attackers always go after the money to maximise their profits. We can only presume that targeting websites wasn’t terribly profitable and was best for them to go after endpoints, businesses and organisations. It’s also much more common for website owners to have backups handy, rendering the entire attack moot.

**More than Meets the Eye**

The clock was ticking on the ransom notification: Seven days, ten hours, 21 minutes and 9 seconds to pay the ransom before the files would be encrypted and irretrievable forever. Tick, tock, tick, tock ⏰

However, when we began our investigation into the website it turned out that nothing was encrypted at all! Normally when ransomware attacks website files the extension is changed to _.lock_ or something similar, and the files have been rendered as unreadable, encrypted rubbish. Not so in this example!

So what was causing the frightening warning?

**Fake Ransomware Warning Generated by Plugin**

The solution to the source was actually quite simple: All we had to do was to query the file structure for the BitCoin account number. That led us to the following file:

./wp-content/plugins/directorist/directorist-base.php

Sure enough, the ransom warning was completely bogus. Nothing was encrypted at all! It was a simple HTML page generated by this bogus plugin and nothing more. Let’s take a look at this code and see what exactly it was doing.

Near the end of that file we can see that the malicious bit is just using some very basic HTML to generate the ransom message:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/bitcoinr.png)

_FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc_

As well as some basic PHP to generate the countdown clock:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/countdown.png)

_All cases so far have defaulted to November 20th, 2021_

The desired date can be edited here to instill more panic into the request. Remember folks, rule number one about online scams like phishing is instilling a sense of _urgency_ to the victim!

**Removing the Infection**

Getting this infection cleared up is easy enough, all we had to do was remove the plugin from the wp-content/plugins directory. However, once we got the main website page back all of their pages and posts were leading to 404 Not Found responses.

The reason for this is the last snippet of the malicious plugin:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/azze.png)

Here we see a basic SQL command which finds any posts and pages with the “**publish**” status and changes them to “**null**“. All the content was still in the database, just unable to be viewed! This can be reversed with an equally simple SQL command:

_UPDATE \`wp\_posts\` SET \`post\_status\` = 'publish' WHERE \`post\_status\` = 'null';_

This will publish any content in the database marked as _null._ If you have other content marked as such, it will re-publish that, but that is certainly better than losing all your website posts and pages.

We also see the plugin including the following file:

./wp-content/plugins/directorist/azz\_encrypt.php

However, so far we haven’t seen this file present in any of the infections. It’s possible that in other cases of this infection this file could contain functionality to encrypt the files, but so far we haven’t found a candidate with it present.

**Determining the Source**

In checking the access logs for the website it was easy enough to determine the IP address responsible. Our client was located in the southern United States, however we saw quite a few requests from a foreign IP address which was interacting with the directorist plugin using the plugin editor feature of wp-admin. This suggests that the legitimate plugin was already installed on the website and later tampered with by the attackers.

Interestingly, the very first request that we saw from the attacker IP address was from the wp-admin panel, suggesting that they had already established administrator access to the website before they began their shenanigans. Whether they had brute forced the admin password using another IP address or had acquired the already-compromised login from the black market is anybody’s guess.

**How to Protect your Site**

Once the plugin is removed and the nulled content in the database restored then tying up the loose ends is pretty straightforward!

*   Review admin users on the site, remove any bogus accounts and update/change all wp-admin passwords
*   Secure your wp-admin administrator page
*   Change other access point passwords (database, FTP, cPanel, etc)
*   Ideally, place your website behind a firewall
*   Don’t forget about reliable backups! Even if hackers manage to encrypt your whole site, it will be easy to restore it from the latest backup.

We recently published a detailed article on many of the different options that WordPress website owners have at their disposal to secure their admin page. Be sure to give it a read to make sure your website isn’t low hanging fruit for the bad guys! In particular, the _disallow\_file\_edit_ function would have helped prevent this attack!

If you are a website owner and are affected by this attack our remediation analysts can help remove the infection for you!

**UPDATE:** While the original point of this article was to mention this new malware infection and not locate its source we mentioned it may have been a compromised admin account. Upon further evaluation it was due to a cross-side request forgery vulnerability in the Directorist plugin which has since been patched. Thank you to Plugin Vulnerabilities for reading and paying close attention to our blog posts. Users of this plugin should update immediately!

Tag

#google