Details of VAR-201702-0213

ID

VAR-201702-0213

CVE

CVE-2016-7614

TITLE

Apple iCloud of Windows Vulnerabilities that can capture important information in security components

Trust: 0.8

sources: JVNDB: JVNDB-2016-007445

DESCRIPTION

An issue was discovered in certain Apple products. iCloud before 6.1 is affected. The issue involves the "Windows Security" component. It allows local users to obtain sensitive information from iCloud desktop-client process memory via unspecified vectors. Apple iCloud for Windows is prone to a local information-disclosure vulnerability. An attacker can leverage this issue to obtain sensitive information that may aid in further attacks. Versions prior to iCloud 6.1 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-12-13-4 iCloud for Windows v6.1 iCloud for Windows v6.1 is now available and addresses the following: WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4692: Apple CVE-2016-7635: Apple CVE-2016-7652: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4743: Alan Cutter WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of user information Description: A validation issue was addressed through improved state management. CVE-2016-7586: Boris Zbarsky WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved state management. CVE-2016-7587: Adam Klein CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with Trend Micro's Zero Day Initiative CVE-2016-7611: an anonymous researcher working with Trend Micro's Zero Day Initiative CVE-2016-7639: Tongbo Luo of Palo Alto Networks CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2016-7642: Tongbo Luo of Palo Alto Networks CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab (tencent.com) CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day Initiative WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved state management. CVE-2016-7589: Apple CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day Initiative WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may compromise user information Description: An issue existed in handling of JavaScript prompts. This was addressed through improved state management. CVE-2016-7592: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: An uninitialized memory access issue was addressed through improved memory initialization. CVE-2016-7598: Samuel GroA WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of user information Description: An issue existed in the handling of HTTP redirects. This issue was addressed through improved cross origin validation. CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved state management. This issue was addressed through improved memory handling. CVE-2016-7614: Yakir Wizman iCloud for Windows v6.1 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYUDfeAAoJEIOj74w0bLRGi1YQAM04Zdc+W0/qkdER4iM5XbuV b18e7QZuOCha24mYIXpKplO86+Ii47fx4HyzP6BP4SvaurlGo2Z58U6KXsg3NoLh VBiQZMlXAX5RpMJyWvV16Tu2KRKEK6eUcIv71xXAbMIDO0liuFIZnSzpn1D91Xvd lVq/cCw5l+xdPzrqrm2PJQRDPu32S21UrfxzpnUZUirLuF62RaHB6aPpbz8IA924 X7+BnKwpyG82py7ohwAYnvTaAt9ZHU7tWyZwpE/h8BxR+aTw/0J5il/NS55v/b9v Q2cmMploNlD7GSsqo5ruB+iICnn4slkCA2ep8dzX6vWhy0/5LNxVgy+rqbRUtkoB hpQ/tL25D2gfLLr3nnxMl/oBsB0iLNGtkzsOKqVVZzBEBpfbz3iEw7yeI7fSmOp6 87gyegE6znAw6GI7+JrhoMBeHW1QBe1YReIFj/CX4/ojYxTzAwDxdEULN77zHppK ZwlOE6fIXefqrioITbY9GGT4pbqsTN4ZUbt+UGS51mbDKkVIysuUMTvKKxT2WlFc 2Sj7Uk1SOaJ719/YGge84YKdZokyN0kmTCEIiE5HLNrms1uCURVVbh9YzVluL/hm R4UiaM9RmovvGi9cGpMpabnyoJwAj/U1Gtn0nHUZnmsGm3j9Y+LIgrj3xFByH2oO 82ORmQJsxN4FLllw5Zyd =3eCL -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2016-7614 // JVNDB: JVNDB-2016-007445 // BID: 94911 // VULHUB: VHN-96434 // PACKETSTORM: 140154

AFFECTED PRODUCTS

vendor:	apple	model:	icloud	scope:	lte	version:	6.0.1	Trust: 1.0
vendor:	apple	model:	icloud	scope:	eq	version:	6.0.1	Trust: 0.9
vendor:	apple	model:	icloud	scope:	lt	version:	6.1 (windows 7 or later )	Trust: 0.8
vendor:	apple	model:	icloud	scope:	eq	version:	6.0	Trust: 0.3
vendor:	apple	model:	icloud	scope:	ne	version:	6.1	Trust: 0.3

sources: BID: 94911 // JVNDB: JVNDB-2016-007445 // CNNVD: CNNVD-201612-436 // NVD: CVE-2016-7614

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-7614
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-7614
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201612-436
value:	LOW
Trust: 0.6
VULHUB:	VHN-96434
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2016-7614
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-96434
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-7614
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-96434 // JVNDB: JVNDB-2016-007445 // CNNVD: CNNVD-201612-436 // NVD: CVE-2016-7614

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-96434 // JVNDB: JVNDB-2016-007445 // NVD: CVE-2016-7614

THREAT TYPE

local

Trust: 0.9

sources: BID: 94911 // CNNVD: CNNVD-201612-436

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201612-436

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007445

PATCH

title:	Apple security updates	url:	https://support.apple.com/en-us/HT201222	Trust: 0.8
title:	APPLE-SA-2016-12-13-4 iCloud for Windows v6.1	url:	https://lists.apple.com/archives/security-announce/2016/Dec/msg00006.html	Trust: 0.8
title:	HT207424	url:	https://support.apple.com/en-us/HT207424	Trust: 0.8
title:	HT207424	url:	https://support.apple.com/ja-jp/HT207424	Trust: 0.8
title:	Apple iCloud for Windows Information disclosure repair measures	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66470	Trust: 0.6

sources: JVNDB: JVNDB-2016-007445 // CNNVD: CNNVD-201612-436

EXTERNAL IDS

db:	NVD	id:	CVE-2016-7614	Trust: 2.9
db:	BID	id:	94911	Trust: 2.0
db:	JVN	id:	JVNVU97133642	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-007445	Trust: 0.8
db:	CNNVD	id:	CNNVD-201612-436	Trust: 0.7
db:	VULHUB	id:	VHN-96434	Trust: 0.1
db:	PACKETSTORM	id:	140154	Trust: 0.1

sources: VULHUB: VHN-96434 // BID: 94911 // JVNDB: JVNDB-2016-007445 // PACKETSTORM: 140154 // CNNVD: CNNVD-201612-436 // NVD: CVE-2016-7614

REFERENCES

url:	http://www.securityfocus.com/bid/94911	Trust: 1.7
url:	https://support.apple.com/ht207424	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-7614	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu97133642/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-7614	Trust: 0.8
url:	https://www.apple.com/	Trust: 0.3
url:	https://support.apple.com/en-us/ht201222	Trust: 0.3
url:	https://support.apple.com/ht204283	Trust: 0.1
url:	https://support.apple.com/kb/ht201222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7599	Trust: 0.1
url:	https://gpgtools.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7648	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7635	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7632	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7642	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7645	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7646	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7586	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7641	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7610	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7614	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7589	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7649	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7587	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4692	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7656	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7640	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7592	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7639	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7654	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7611	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7652	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4743	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-7598	Trust: 0.1

sources: VULHUB: VHN-96434 // BID: 94911 // JVNDB: JVNDB-2016-007445 // PACKETSTORM: 140154 // CNNVD: CNNVD-201612-436 // NVD: CVE-2016-7614

CREDITS

Yakir Wizman.

Trust: 0.9

sources: BID: 94911 // CNNVD: CNNVD-201612-436

SOURCES

db:	VULHUB	id:	VHN-96434
db:	BID	id:	94911
db:	JVNDB	id:	JVNDB-2016-007445
db:	PACKETSTORM	id:	140154
db:	CNNVD	id:	CNNVD-201612-436
db:	NVD	id:	CVE-2016-7614

LAST UPDATE DATE

2024-11-23T20:41:59.707000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-96434	date:	2017-02-21T00:00:00
db:	BID	id:	94911	date:	2016-12-20T01:09:00
db:	JVNDB	id:	JVNDB-2016-007445	date:	2017-03-01T00:00:00
db:	CNNVD	id:	CNNVD-201612-436	date:	2017-02-28T00:00:00
db:	NVD	id:	CVE-2016-7614	date:	2024-11-21T02:58:18.343

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-96434	date:	2017-02-20T00:00:00
db:	BID	id:	94911	date:	2016-12-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-007445	date:	2017-03-01T00:00:00
db:	PACKETSTORM	id:	140154	date:	2016-12-14T15:55:55
db:	CNNVD	id:	CNNVD-201612-436	date:	2016-12-16T00:00:00
db:	NVD	id:	CVE-2016-7614	date:	2017-02-20T08:59:02.603