-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-09-25-3
Additional information for APPLE-SA-2017-09-19-2 Safari 11

Safari 11 addresses the following:

Safari
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com)

WebKit
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-7081: Apple
Entry added September 25, 2017

WebKit
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-7087: Apple
CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend
Microas Zero Day Initiative
CVE-2017-7092: Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team,
Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day
Initiative
CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend
Microas Zero Day Initiative
CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group
CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University working with Trend Microas Zero Day
Initiative
CVE-2017-7096: Wei Yuan of Baidu Security Lab
CVE-2017-7098: Felipe Freitas of Instituto TecnolA3gico de AeronA!utica
CVE-2017-7099: Apple
CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53
CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University
CVE-2017-7104: likemeng of Baidu Secutity Lab
CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University
CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com)
working with Trend Micro's Zero Day Initiative
CVE-2017-7117: lokihardt of Google Project Zero
CVE-2017-7120: chenqin (ee|) of Ant-financial Light-Year Security
Lab
Entry added September 25, 2017

WebKit
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue existed in the handling of the parent-tab.
This issue was addressed with improved state management.
CVE-2017-7089: Frans RosA(c)n of Detectify, Anton Lopanitsyn of ONSEC

WebKit
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Cookies belonging to one origin may be sent to another origin
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed by no longer returning
cookies for custom URL schemes.
CVE-2017-7090: Apple
Entry added September 25, 2017

WebKit
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7106: Oliver Paukstadt of Thinking Objects GmbH (to.com)

WebKit
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: Application Cache policy may be unexpectedly applied.
CVE-2017-7109: avlidienbrunn
Entry added September 25, 2017

WebKit
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: A malicious website may be able to track users in
Safari private browsing mode
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed with improved restrictions.
CVE-2017-7144: an anonymous researcher
Entry added September 25, 2017

WebKit Storage
Available for:  OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Website data may persist after a Safari Private browsing
session
Description: An information leakage issue existed in the handling of
website data in Safari Private windows. This issue was addressed with
improved data handling.
CVE-2017-7142: an anonymous researcher, an anonymous researcher, an
anonymous researcher
Entry added September 25, 2017

Additional recognition

WebKit
We would like to acknowledge xisigr of Tencent's Xuanwu Lab
(tencent.com) for their assistance.

Installation note:

Safari 11 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJZyUQfAAoJEIOj74w0bLRG/OcQAMYUtsjsKZSQngaIfrbsJJws
0FyAha36FHpQgo4EJ7sREcm31esSdE7DHoPG/8sG6WyP+H298kAAt7ZxedyBR17P
FmF5L6yr1CcuvVNI3fj8hA278tUF6MMPU3/PQiIrmRvWwjkQ50ZJvP8yAPqKsMhJ
+VhBFTgkGlg6Nb7baiT1pr6u/u0+MqsNaLiyWgz1GbTL9gOykKvl+hZMjOTWACzJ
eMr0XJSs6n8AcpxL/VDjhHJXucDckJUsW3DrtVC8DGWxCMHXYxQNjADVhuD/tme/
qfEvAdKDXk43Y2YZkpch6qExW6eC2HVKWCb3VVTtYxHiPSklhc1rBSNIXqQxP5vD
EVdqFDhx0jMhAH9wjQUaVpwQ2TWzxtdfuPLOr4v9e46e3zunnB8h5uCQt21LfQnH
e6KtinCcCjONkrrF1OMRyDX28vHGB69djTb4mCVDEHalq66BIh6o8vJpo7rSHATt
BO64xKKzwChaOzmBiWE60d3x6AWCfBwfKWy0iTCfSGlrVs3EWknK1bTQ8dUqdE02
x60GzQwvVhAgR8czyHtdCHK9Fym+SkixusyiHnvWOaJl/D1TE96Ng/XL83L/2TK6
YxO0GEf2KDbewr8uJg9gO5Dv433YY47unyRi1DrTjrjuE07RWs5nBLSXGBzx1Nvc
lOJZilco7jGI/wBK51Jf
=7GkF
-----END PGP SIGNATURE-----