ID

VAR-201710-1380

CVE

CVE-2017-7133

TITLE

Apple iOS of MobileBackup Vulnerabilities in which important plaintext information is obtained in components

DESCRIPTION

An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "MobileBackup" component. It allows remote attackers to obtain sensitive cleartext information in opportunistic circumstances by leveraging read access to a backup archive that was supposed to have been encrypted. Apple iOS is prone to multiple security vulnerabilities. Successful exploits will allow attackers to perform unauthorized actions, or cause denial-of-service conditions; other attacks may also be possible. Versions prior to Apple iOS 11 are vulnerable. MobileBackup is one of the system backup components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-19-1 iOS 11 iOS 11 is now available and addresses the following: Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An attacker in a privileged network position may be able to erase a device during Exchange account setup Description: A validation issue existed in AutoDiscover V1. This issue was addressed through requiring TLS. CVE-2017-7088: Ilya Nesterov, Maxim Goncharov iBooks Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7072: JAdrzej Krysztofiak Mail MessageUI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A memory corruption issue was addressed with improved validation. CVE-2017-7097: Xinshu Dong and Jun Hao Tan of Anquan Capital Messages Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted image may lead to a denial of service Description: A denial of service issue was addressed through improved validation. CVE-2017-7118: Kiki Jiang and Jason Tokoph MobileBackup Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Backup may perform an unencrypted backup despite a requirement to perform only encrypted backups Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2017-7133: Don Sparks of HackediOS.com Safari Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com) WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. CVE-2017-7089: Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify WebKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com) Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "11". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZwVI3AAoJEIOj74w0bLRGSncQAMxcG5XB4dncEVU3cTFGO0e/ LVQJzWpK50Lwr7kM+1CV3Nh9oa9b6+3f2hh9vYJ34OHPJbUEasqrZmAFiDjbJoZn 46e34Rxwk7+oGXSFUS15SEAxAsctTCG3redczoZy/7k75q1z/lq1KZPD9WKCoieP m30OuTsEy3x9UZpJ5xcGJXTCy1LE6kFeGtcNBc7T2JBDXR2Y/4inQvIqhhj15Cg+ o6kvRVcUIysDTbeEB2WNRWQn6uKWw/Gl0eg9wei2dMzkbNUIEOSVhPoOCrnLLkQb Ud/YpIYCDn8Uy9on9bnVRa8ZOg0Yx52tuZJ920vu4+8xnSyBvkmSy7AtSU9IZ5SW QLHYuDSECo+nW7xPuFHce2KkUHcZrzAHKpJBGpruq2IX7Vfz5/1w0YJU93pwj5Sy A68JREYoThj/Ath+nPZAvUXUHR0sLXgRlBWUfwo1UsXt4lsVy+b7b0wQP/wX1atz 6/c72oChTp5c8VWlfajHadC6EmLRuBYoLW8HxlemyWU+RZDNjMMb11ytL/vg+VOL 51u+BjCs/6BIJI6+mirfG+XK/DVjStgy5W3atup5yEJXy8ouWyBT4vi1PJgjqQOh 0s4G3yE0J38pvtbCFtSb7VOJBh4ocFz7ggeZ5Z3tSQsawtSlcTfl3+93rJ87yRQG 4UIRwN/cWfzukSyrDAis =ufig -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

encryption problem

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ilya Nesterov, Maxim Goncharov, Jedrzej Krysztofiak, Kiki Jiang and Jason Tokoph, and Don Sparks of HackediOS.com

SOURCES

LAST UPDATE DATE

2024-11-23T20:41:25.295000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE