Security Experts:

Connect with us

Hi, what are you looking for?



Apple Patches Vulnerabilities Disclosed at Pwn2Own

Apple on Monday released a new set of security updates to address more than 100 vulnerabilities in its products, including five that were disclosed at Pwn2Own in March 2017.

Apple on Monday released a new set of security updates to address more than 100 vulnerabilities in its products, including five that were disclosed at Pwn2Own in March 2017.

Four of the 37 bugs resolved in macOS Sierra 10.12.5 were disclosed at Pwn2Own: a Use-After-Free Privilege Escalation in IOGraphics (CVE-2017-2545), a Stack-based Buffer Overflow Privilege Escalation in WindowServer (CVE-2017-2541), an Information Disclosure in WindowServer (CVE-2017-2540), and an Unsigned Dylib Loading Privilege Escalation in Speech Framework (CVE-2017-6977).

The platform release also resolved issues in 802.1X, Accessibility Framework, CoreAnimation, CoreAudio, HFS, iBooks, Intel Graphics Driver, IOSurface, Kernel, Multi-Touch, NVIDIA Graphics Drivers, Sandbox, SQLite, and TextInput.

Exploitation of these bugs could lead to the capturing of user network credentials, arbitrary code execution, privilege escalation, sandbox escape, reading of restricted memory, the opening of arbitrary websites without user permission.

The newly released iOS 10.3.2 patches 41 bugs affecting AVEVideoEncoder, CoreAudio, iBooks, IOSurface, Kernel, Notifications, Safari, Security, SQLite, TextInput, and WebKit. The flaws could result in privilege escalation, arbitrary code execution, denial of service, reading of restricted memory, the execution of unsigned code, and universal cross site scripting.

A total of 26 vulnerabilities were resolved with the release of Safari 10.1.1. Two issues were addressed in Safari and could result in application denial of service or address bar spoofing, while the remaining 24 were patched in WebKit and could lead to arbitrary code execution, universal cross site scripting, or execution of unsigned code.

One of these was CVE-2017-2544, an Array concat Integer Overflow Remote Code Execution disclosed at Pawn2Own by 360 Security (@mj0011sec) working with Trend Micro’s Zero Day Initiative.

Apple fixed 12 bugs with the release of watchOS 3.2.2, affecting AVEVideoEncoder, CoreAudio, IOSurface, Kernel, SQLite, TextInput, and WebKit. Most could lead to arbitrary code execution, but some allow for privilege escalation or the reading of restricted memory.

Of the 23 flaws tvOS 10.2.1 resolves, 12 were found in WebKit and impacted Safari and iOS as well. The remaining issues affected AVEVideoEncoder, CoreAudio, IOSurface, Kernel, SQLite, and TextInput.

Additionally, Apple released iTunes 12.6.1 for Windows and iCloud for Windows 6.2.1 to resolve an arbitrary code execution bug in each (CVE-2017-6984 and CVE-2017-2530, respectively).

Related: Microsoft Patches Edge Flaws Disclosed at Pwn2Own

Related: Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own

Related: VMware Patches Flaws Disclosed at Pwn2Own

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.