Sign-up

ID

VAR-201702-0387


CVE

CVE-2016-4613


TITLE

plural Apple Used in products WebKit Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2016-007433

DESCRIPTION

An issue was discovered in certain Apple products. Safari before 10.0.1 is affected. iCloud before 6.0.1 is affected. iTunes before 12.5.2 is affected. tvOS before 10.0.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a crafted web site. WebKit is prone to an information-disclosure vulnerability and multiple memory-corruption vulnerabilities. Failed exploit attempts will likely cause a denial-of-service condition. Apple iCloud for Windows is a cloud service based on the Windows platform of Apple (Apple), which supports the storage of music, photos, Apps and contacts. A memory corruption vulnerability exists in the WebKit component of Apple iCloud versions prior to 6.0.1 on Windows platforms. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-10-27-2 iCloud for Windows v6.0.1 iCloud for Windows v6.0.1 is now available and addresses the following: WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of user information Description: An input validation issue was addressed through improved state management. CVE-2016-4613: Chris Palmer WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-7578: Apple Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYElaQAAoJEIOj74w0bLRGydAP/A7CkkToap07bACp6iVYcQwO LRcILJJzCgQpXU4w95HA4w5iSlV08/PhFsIHb+nrQ4QM9TgUCPx7tlVTw+FUOCUy 1MyYNZCZs66B5w0lZla7unN76SPpt4m2fpz7b6SyTbpkrNuIvb/JC1AQoZOWz1za WBpS9argB+Nhk3HoG/PCGIQT2+iMicKLkK5ltbTGx0OK/hyRd8OM1qtU+z1OijV2 HRZek6yCR5h/4VJroBoyK3KqAashiEjGG7En9CHu3x2WLH9au62TVo74ugssfo3f gKuyBn8RZg8uFEo/iuBTNuU6rnoGQlY1YwNbyyAWlLuY2D0zgI3K9eREi6/T8LaO RJ6vz79hJHqfJIvMGGPZB9k4fWkBZemqhqfgW7RMBD7iBSYmoCIAbh679c12aik4 EF3rGTww+/3vdH3/Tb6w+5LTjIWjaYK05FInfzH2wY5sXT470VL946X6ueQysXOW kZ//jXIG52zS4pITnR+TPS5Ed9Xrwl6QhMtnSlPOmaUiuZyfmf6hxNmc9jkO9qs8 wIUeDOk83pVfOkrdEG1YUaHM35ntKEpqUFAtcgai0Z9DGtXMKiqikMLJMD8fdJ3g VPUWeZWA28cWZkv9RCNtVm/LZ0orVczUQZIdsThbfb5Kgi1YcG+BdT1+jfJvuiFt cmmT4qoVmcLgqmd0UR8Z =qqLM -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-3166-1 January 10, 2017 webkit2gtk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in WebKitGTK+. Software Description: - webkit2gtk: JavaScript engine library from WebKitGTK+ - GObject introspection Details: A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libjavascriptcoregtk-4.0-18 2.14.2-0ubuntu0.16.04.1 libwebkit2gtk-4.0-37 2.14.2-0ubuntu0.16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3166-1 CVE-2016-4613, CVE-2016-4657, CVE-2016-4666, CVE-2016-4707, CVE-2016-4728, CVE-2016-4733, CVE-2016-4734, CVE-2016-4735, CVE-2016-4759, CVE-2016-4760, CVE-2016-4761, CVE-2016-4762, CVE-2016-4764, CVE-2016-4765, CVE-2016-4767, CVE-2016-4768, CVE-2016-4769, CVE-2016-7578 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.2-0ubuntu0.16.04.1

Trust: 2.25

sources: NVD: CVE-2016-4613 // JVNDB: JVNDB-2016-007433 // BID: 93949 // VULHUB: VHN-93432 // PACKETSTORM: 139381 // PACKETSTORM: 139382 // PACKETSTORM: 140417

AFFECTED PRODUCTS

vendor:applemodel:tvscope:eqversion:10.0.0

Trust: 1.6

vendor:applemodel:safariscope:lteversion:10.0.0

Trust: 1.0

vendor:applemodel:itunesscope:lteversion:12.5.1

Trust: 1.0

vendor:applemodel:icloudscope:lteversion:6.0.0

Trust: 1.0

vendor:applemodel:itunesscope:eqversion:12.5.1

Trust: 0.9

vendor:applemodel:icloudscope:ltversion:6.0.1 (windows 7 or later )

Trust: 0.8

vendor:applemodel:itunesscope:ltversion:12.5.2 (windows 7 or later )

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.0.1 (macos sierra 10.12)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.0.1 (os x el capitan v10.11.6)

Trust: 0.8

vendor:applemodel:safariscope:ltversion:10.0.1 (os x yosemite v10.10.5)

Trust: 0.8

vendor:applemodel:tvosscope:ltversion:10.0.1 (apple tv first 4 generation )

Trust: 0.8

vendor:applemodel:safariscope:eqversion:10.0.0

Trust: 0.6

vendor:applemodel:icloudscope:eqversion:6.0.0

Trust: 0.6

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.4.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.2.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:12.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:11.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.7

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.6

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.5

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.3

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1.4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10

Trust: 0.3

vendor:applemodel:icloudscope:eqversion:6.0

Trust: 0.3

vendor:applemodel:itunesscope:neversion:12.5.2

Trust: 0.3

vendor:applemodel:icloudscope:neversion:6.0.1

Trust: 0.3

sources: BID: 93949 // JVNDB: JVNDB-2016-007433 // CNNVD: CNNVD-201611-046 // NVD: CVE-2016-4613

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-4613
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-4613
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201611-046
value: MEDIUM

Trust: 0.6

VULHUB: VHN-93432
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-4613
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-93432
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-4613
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-93432 // JVNDB: JVNDB-2016-007433 // CNNVD: CNNVD-201611-046 // NVD: CVE-2016-4613

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-93432 // JVNDB: JVNDB-2016-007433 // NVD: CVE-2016-4613

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 140417 // CNNVD: CNNVD-201611-046

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201611-046

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007433

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-93432

PATCH
title:Apple security updatesurl:https://support.apple.com/en-us/HT201222
Trust: 0.8
title:APPLE-SA-2016-10-24-4 tvOS 10.0.1url:https://lists.apple.com/archives/security-announce/2016/Oct/msg00003.html
Trust: 0.8
title:APPLE-SA-2016-10-27-2 iCloud for Windows v6.0.1url:https://lists.apple.com/archives/security-announce/2016/Oct/msg00006.html
Trust: 0.8
title:APPLE-SA-2016-10-27-3 iTunes 12.5.2 for Windowsurl:https://lists.apple.com/archives/security-announce/2016/Oct/msg00007.html
Trust: 0.8
title:APPLE-SA-2016-10-24-3 Safari 10.0.1url:https://lists.apple.com/archives/security-announce/2016/Oct/msg00002.html
Trust: 0.8
title:HT207272url:https://support.apple.com/en-us/HT207272
Trust: 0.8
title:HT207273url:https://support.apple.com/en-us/HT207273
Trust: 0.8
title:HT207274url:https://support.apple.com/en-us/HT207274
Trust: 0.8
title:HT207270url:https://support.apple.com/en-us/HT207270
Trust: 0.8
title:HT207270url:https://support.apple.com/ja-jp/HT207270
Trust: 0.8
title:HT207272url:https://support.apple.com/ja-jp/HT207272
Trust: 0.8
title:HT207273url:https://support.apple.com/ja-jp/HT207273
Trust: 0.8
title:HT207274url:https://support.apple.com/ja-jp/HT207274
Trust: 0.8
title:Apple iCloud for Windows Repair measures for memory corruption vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65269
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-007433 // 
            
            
            
            CNNVD: CNNVD-201611-046

EXTERNAL IDS
db:NVDid:CVE-2016-4613
Trust: 3.1
db:SECTRACKid:1037139
Trust: 1.7
db:BIDid:93949
Trust: 1.4
db:PACKETSTORMid:139381
Trust: 0.8
db:PACKETSTORMid:139382
Trust: 0.8
db:JVNid:JVNVU97557859
Trust: 0.8
db:JVNid:JVNVU90743185
Trust: 0.8
db:JVNDBid:JVNDB-2016-007433
Trust: 0.8
db:CNNVDid:CNNVD-201611-046
Trust: 0.7
db:AUSCERTid:ESB-2016.2510
Trust: 0.6
db:AUSCERTid:ESB-2016.2511
Trust: 0.6
db:PACKETSTORMid:140417
Trust: 0.2
db:VULHUBid:VHN-93432
Trust: 0.1
sources:
            
            
            VULHUB: VHN-93432 // 
            
            
            
            BID: 93949 // 
            
            
            
            JVNDB: JVNDB-2016-007433 // 
            
            
            
            PACKETSTORM: 139381 // 
            
            
            
            PACKETSTORM: 139382 // 
            
            
            
            PACKETSTORM: 140417 // 
            
            
            
            CNNVD: CNNVD-201611-046 // 
            
            
            
            NVD: CVE-2016-4613

REFERENCES
url:https://support.apple.com/ht207270
Trust: 1.7
url:https://support.apple.com/ht207272
Trust: 1.7
url:https://support.apple.com/ht207273
Trust: 1.7
url:https://support.apple.com/ht207274
Trust: 1.7
url:http://www.securityfocus.com/bid/93949
Trust: 1.1
url:http://www.securitytracker.com/id/1037139
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4613
Trust: 0.8
url:http://jvn.jp/vu/jvnvu90743185/index.html
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97557859/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4613
Trust: 0.8
url:http://packetstormsecurity.com/files/139381/apple-security-advisory-2016-10-27-2.html
Trust: 0.6
url:http://packetstormsecurity.com/files/139382/apple-security-advisory-2016-10-27-3.html
Trust: 0.6
url:http://www.auscert.org.au/./render.html?it=40046
Trust: 0.6
url:http://www.auscert.org.au/./render.html?it=40042
Trust: 0.6
url:http://securitytracker.com/id/1037139
Trust: 0.6
url:https://www.apple.com/
Trust: 0.3
url:http://prod.lists.apple.com/archives/security-announce/2016/oct/msg00006.html
Trust: 0.3
url:http://prod.lists.apple.com/archives/security-announce/2016/oct/msg00007.html
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2016-4613
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2016-7578
Trust: 0.3
url:https://support.apple.com/kb/ht201222
Trust: 0.2
url:https://www.apple.com/support/security/pgp/
Trust: 0.2
url:https://gpgtools.org
Trust: 0.2
url:https://www.apple.com/itunes/download/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4767
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4707
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4728
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4734
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4657
Trust: 0.1
url:http://www.ubuntu.com/usn/usn-3166-1
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4769
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4760
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4764
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4768
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4762
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4666
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4765
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4761
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4759
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4733
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.2-0ubuntu0.16.04.1
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-4735
Trust: 0.1
sources:
            
            
            VULHUB: VHN-93432 // 
            
            
            
            BID: 93949 // 
            
            
            
            JVNDB: JVNDB-2016-007433 // 
            
            
            
            PACKETSTORM: 139381 // 
            
            
            
            PACKETSTORM: 139382 // 
            
            
            
            PACKETSTORM: 140417 // 
            
            
            
            CNNVD: CNNVD-201611-046 // 
            
            
            
            NVD: CVE-2016-4613

CREDITS
Chris Palmer and Apple
Trust: 0.3
sources:
            
            
            BID: 93949

SOURCES
db:VULHUBid:VHN-93432
db:BIDid:93949
db:JVNDBid:JVNDB-2016-007433
db:PACKETSTORMid:139381
db:PACKETSTORMid:139382
db:PACKETSTORMid:140417
db:CNNVDid:CNNVD-201611-046
db:NVDid:CVE-2016-4613

LAST UPDATE DATE
2024-11-23T20:36:35.532000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-93432date:2017-07-29T00:00:00
db:BIDid:93949date:2016-11-24T11:04:00
db:JVNDBid:JVNDB-2016-007433date:2017-03-01T00:00:00
db:CNNVDid:CNNVD-201611-046date:2017-03-13T00:00:00
db:NVDid:CVE-2016-4613date:2024-11-21T02:52:37.233

SOURCES RELEASE DATE
db:VULHUBid:VHN-93432date:2017-02-20T00:00:00
db:BIDid:93949date:2016-10-27T00:00:00
db:JVNDBid:JVNDB-2016-007433date:2017-03-01T00:00:00
db:PACKETSTORMid:139381date:2016-10-28T14:33:33
db:PACKETSTORMid:139382date:2016-10-28T14:44:55
db:PACKETSTORMid:140417date:2017-01-10T23:06:00
db:CNNVDid:CNNVD-201611-046date:2016-10-28T00:00:00
db:NVDid:CVE-2016-4613date:2017-02-20T08:59:00.167