iCloud Control Panel 7.20

What's new in this version:

iCloud Control Panel 7.20
ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking
- CVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab
- CVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab
- CVE-2020-9936: Mickey Jin of Trend Micro
- CVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab

ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation


ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An out-of-bounds read was addressed with improved bounds checking

ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: A buffer overflow issue was addressed with improved memory handling

ImageIO:
- Available for: Windows 7 and later
- Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
- Description: An out-of-bounds write issue was addressed with improved bounds checking

ImageIO:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted image may lead to arbitrary code execution
- Description: An integer overflow was addressed through improved input validation

WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
- Description: An out-of-bounds read was addressed with improved input validation

WebKit:
 - Available for: Windows 7 and later
 - Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
 - Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue was addressed with improved state management

WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
- Description: A use after free issue was addressed with improved memory management
- CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative

WebKit:
- Available for: Windows 7 and later
- Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
- Description: Multiple issues were addressed with improved logic

WebKit Page Loading:
- Available for: Windows 7 and later
- Impact: A malicious attacker may be able to conceal the destination of a URL
- Description: A URL Unicode encoding issue was addressed with improved state management

WebKit Web Inspector:
- Available for: Windows 7 and later
- Impact: Copying a URL from Web Inspector may lead to command injection
- Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping


iCloud Control Panel 7.18
libxml2:
- Available for: Windows 7 and later
- Impact: Multiple issues in libxml2
- Description: A buffer overflow was addressed with improved size validation
- CVE-2020-3910: LGTM

libxml2:
- Available for: Windows 7 and later
- Impact: Multiple issues in libxml2
- Description: A buffer overflow was addressed with improved bounds checking
- CVE-2020-3909: LGTM
- CVE-2020-3911: found by OSS-Fuzz

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A type confusion issue was addressed with improved memory handling
- CVE-2020-3901: Benjamin Randazzo

WebKit:
- Available for: Windows 7 and later
- Impact: A download's origin may be incorrectly associated
- Description: A logic issue was addressed with improved restrictions
- CVE-2020-3887: Ryan Pickren

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling
- CVE-2020-3895: grigoritchy
- CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech

WebKit:
- Available for: Windows 7 and later
- Impact: An application may be able to read restricted memory
- Description: A race condition was addressed with additional validation
- CVE-2020-3894: Sergei Glazunov of Google Project Zero

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to code execution
- Description: A use after free issue was addressed with improved memory management
- CVE-2020-9783: Apple

WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause arbitrary code execution
- Description: A type confusion issue was addressed with improved memory handling
- CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative

WebKit:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to cause arbitrary code execution
- Description: A memory consumption issue was addressed with improved memory handling
- CVE-2020-3899: found by OSS-Fuzz

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
- Description: An input validation issue was addressed with improved input validation
- CVE-2020-3902: Yigit Can YILMAZ

WebKit Page Loading:
- Available for: Windows 7 and later
- Impact: A file URL may be incorrectly processed
- Description: A logic issue was addressed with improved restrictions
- CVE-2020-3885: Ryan Pickren


iCloud Control Panel 7.16
CFNetwork Proxies:
- Available for: Windows 7 and later
- Impact: An application may be able to gain elevated privileges
- Description: This issue was addressed with improved checks
- CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team

libexpat:
- Available for: Windows 7 and later
- Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information
- Description: This issue was addressed by updating to expat version 2.2.8
- CVE-2019-15903: Joonun Jang

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- Anonymous working with Trend Micro's Zero Day Initiative, Mike Zhang of Pangu Team
- William Bowling (@wcbowling)

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management.
- CVE-2019-8846: Marcin Towalski of Cisco Talos


iCloud Control Panel 7.15
Graphics Driver:
- Available for: Windows 7 and later
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- Vasiliy Vasilyev and Ilya Finogeev of Webinar, LLC

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling
- Cheolung Lee of LINE+ Graylab Security Team
- Soyeon Park of SSLab at Georgia Tech
- Cheolung Lee of LINE+ Security Team
- Soyeon Park of SSLab at Georgia Tech
- Cheolung Lee of LINE+ Security Team
- Samuel Groß of Google Project Zero
- Sergei Glazunov of Google Project Zero
- Sergei Glazunov of Google Project Zero
- Sergei Glazunov of Google Project Zero

WebKit Process Model:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling


iCloud Control Panel 7.14
UIFoundation:
- Available for: Windows 7 and later
- Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
- Description: A buffer overflow was addressed with improved bounds checking.
- riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue was addressed with improved state management.
- CVE-2019-8625: Sergei Glazunov of Google Project Zero
- CVE-2019-8719: Sergei Glazunov of Google Project Zero

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative
- CVE-2019-8726: Jihui Lu of Tencent KeenLab
- CVE-2019-8733: Sergei Glazunov of Google Project Zero
- CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative
- CVE-2019-8763: Sergei Glazunov of Google Project Zero


iCloud Control Panel 7.13

libxslt:
- Available for: Windows 7 and later
- Impact: A remote attacker may be able to view sensitive information
- Description: A stack overflow was addressed with improved input validation

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue was addressed with improved state management

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to universal cross site scripting
- Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management


iCloud Control Panel 7.12

SQLite:
- Available for: Windows 7 and later
- Impact: An application may be able to gain elevated privileges
- Description: An input validation issue was addressed with improved memory handling.
- Omer Gull of Checkpoint Research

SQLite:
- Available for: Windows 7 and later
- Impact: A maliciously crafted SQL query may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved input validation.
- Omer Gull of Checkpoint Research

SQLite:
- Available for: Windows 7 and later
- Impact: A malicious application may be able to read restricted memory
- Description: An input validation issue was addressed with improved input validation.
- Omer Gull of Checkpoint Research

SQLite:
- Available for: Windows 7 and later
- Impact: A malicious application may be able to elevate privileges
- Description: A memory corruption issue was addressed by removing the vulnerable code.
- Omer Gull of Checkpoint Research

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may result in the disclosure of process memory
- Description: An out-of-bounds read was addressed with improved input validation.
- Junho Jang and Hanul Choi of LINE Security Team

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling
- G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team
- 01 working with Trend Micro's Zero Day Initiative
- sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech
- G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative
- an anonymous researcher
- G. Geshev working with Trend Micro Zero Day Initiative
- Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
- G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative
- Wen Xu of SSLab at Georgia Tech
- 01 working with Trend Micro Zero Day Initiative
- Fluoroacetate working with Trend Micro's Zero Day Initiative
- G. Geshev working with Trend Micro Zero Day Initiative
- Wen Xu of SSLab, Georgia Tech
- Anonymous working with Trend Micro Zero Day Initiative
- Samuel Groß of Google Project Zero
- G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative
- Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
- Samuel Groß of Google Project Zero
- Samuel Groß of Google Project Zero
- Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab


iCloud Control Panel 7.11
- Change log not available for this version


iCloud Control Panel 7.10
- Change log not available for this version


iCloud Control Panel 7.9.0.9

Safari:
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to address bar spoofing
- Description: A logic issue was addressed with improved state management.
- CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab (xlab.tencent.com)

Safari:
- Available for: Windows 7 and later
- Impact: Visiting a malicious website may lead to user interface spoofing
- Description: A logic issue was addressed with improved validation.
- CVE-2018-4439: xisigr of Tencent's Xuanwu Lab (tencent.com)

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4437: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea
- CVE-2018-4464: HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2018-4441: lokihardt of Google Project Zero
- CVE-2018-4442: lokihardt of Google Project Zero
- CVE-2018-4443: lokihardt of Google Project Zero

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management


iCloud Control Panel 7.8.1.12
- Change log not available for this version


iCloud Control Panel 7.8.0.7
- Change log not available for this version


iCloud Control Panel 7.7.0.27

WebKit:
- Impact: Unexpected interaction causes an ASSERT failure
- Description: A memory corruption issue was addressed with improved validation
- CVE-2018-4191: found by OSS-Fuzz

WebKit:
- Impact: Cross-origin SecurityErrors includes the accessed frame’s origin
- Description: The issue was addressed by removing origin information
- CVE-2018-4311: Erling Alf Ellingsen (@steike)

WebKit:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved state management
- CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team

WebKit:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling.
- CVE-2018-4299: Samuel Groβ (saelo) working with Trend Micro's Zero Day Initiative
- CVE-2018-4323: Ivan Fratric of Google Project Zero
- CVE-2018-4328: Ivan Fratric of Google Project Zero
- CVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative
- CVE-2018-4359: Samuel Groß (@5aelo)

WebKit:
- Available for: Windows 7 and later
- Impact: A malicious website may cause unexepected cross-origin behavior
- Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins
- CVE-2018-4319: John Pettitt of Google

WebKit:
- Available for: Windows 7 and later
- Impact: A malicious website may be able to execute scripts in the context of another website
- Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation
- CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A use after free issue was addressed with improved memory management
- CVE-2018-4197: Ivan Fratric of Google Project Zero
- CVE-2018-4306: Ivan Fratric of Google Project Zero
- CVE-2018-4312: Ivan Fratric of Google Project Zero
- CVE-2018-4314: Ivan Fratric of Google Project Zero
- CVE-2018-4315: Ivan Fratric of Google Project Zero
- CVE-2018-4317: Ivan Fratric of Google Project Zero
- CVE-2018-4318: Ivan Fratric of Google Project Zero

WebKit:
- Impact: A malicious website may exfiltrate image data cross-origin
- Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation
- CVE-2018-4345: an anonymous researcher

WebKit:
- Impact: Unexpected interaction causes an ASSERT failure
- Description: A memory consumption issue was addressed with improved memory handling
- CVE-2018-4361: found by Google OSS-Fuzz


iCloud Control Panel 7.6.0.15
CFNetwork:
- A cookie management issue was addressed with improved checks

WebKit:
- A memory corruption issue was addressed with improved memory handling

WebKit:
- A type confusion issue was addressed with improved memory handling
- Sound fetched through audio elements may be exfiltrated cross-originThis issue was addressed with improved audio taint tracking
- A race condition was addressed with additional validation
- Multiple memory corruption issues were addressed with improved memory handling
- Multiple memory corruption issues were addressed with improved input validation


iCloud Control Panel 7.5.0.34
Security:
- An authorization issue was addressed with improved state management

WebKit:
- A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.
- A race condition was addressed with improved locking
- A memory corruption issue was addressed with improved input validation
- A memory corruption issue was addressed with improved memory handling
- A type confusion issue was addressed with improved memory handling
- A memory corruption issue was addressed with improved state management
- Multiple memory corruption issues were addressed with improved memory handling
- An inconsistent user interface issue was addressed with improved state management
- Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method
- A buffer overflow issue was addressed with improved memory handling
- An out-of-bounds read was addressed with improved input validation


iCloud Control Panel 7.4.0.111

Security:
- Impact: A malicious application may be able to elevate privileges
- Description: A buffer overflow was addressed with improved size validation

WebKit:
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling

WebKit:
- Impact: Unexpected interaction with indexing types causing an ASSERT failure
- Description: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks

WebKit:
- Impact: Processing maliciously crafted web content may lead to a denial of service
- Description: A memory corruption issue was addressed through improved input validation

WebKit:
- Impact: A malicious website may exfiltrate data cross-origin
- Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation


iCloud Control Panel 7.3.0.20

WebKit:
- Available for: Windows 7 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: Multiple memory corruption issues were addressed with improved memory handling
- CVE-2018-4088: Jeonghoon Shin of Theori
- CVE-2018-4096: found by OSS-Fuzz


iCloud Control Panel 7.2.0.67
- Change log not available for this verison


iCloud Control Panel 7.1.0.34
- Change log not available for this verison


iCloud Control Panel 7.0.1.210
- SQLite available for: Windows 7 and later
- A memory corruption issue was addressed through improved input validation.
- Multiple memory corruption issues were addressed with improved memory handling.
- A logic issue existed in the handling of parent-tab. This issue was addressed with improved state management.
- A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes.
- An inconsistent user interface issue was addressed with improved state management.
- Application Cache policy may be unexpectedly applied


iCloud Control Panel 6.2.3.17
- Change log not available for this verison


iCloud Control Panel 6.2.2.39
- Multiple memory corruption issues were addressed with improved memory handling


iCloud Control Panel 6.2.1.67
- A client certificate was sent in plaintext. This issue was addressed through improved certificate handling
- Multiple memory corruption issues were addressed through improved memory handling
- Multiple memory corruption issues were addressed through improved memory handling
- A validation issue existed in element handling. This issue was addressed through improved validation


iCloud Control Panel 6.1.2.13
- Change log  not available for this version


iCloud Control Panel 6.1.0.30
- Multiple memory corruption issues were addressed through improved memory handling
- A memory corruption issue was addressed through improved state management
- The iCloud desktop client failed to clear sensitive information in memory


iCloud Control Panel 6.0.2.10
- Change log  not available for this version


iCloud Control Panel 6.0.1.41
- A memory corruption issue was addressed through improved memory handling


iCloud Control Panel 5.2.2.87
- Change log  not available for this version


iCloud Control Panel 5.2.1.69
- Change log  not available for this version