CVE-2017-2355 Apple CVE debrief

Who should care

Organizations that manage Apple endpoints or user browsing risk should pay attention, especially where iOS, Safari, iCloud for Windows, iTunes for Windows, or tvOS devices may still be on vulnerable versions. Security teams should also review any WebKit-dependent exposure in mixed environments.

Technical summary

The NVD record describes a WebKit component flaw with CWE-119 classification and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue affects iOS before 10.2.1, Safari before 10.0.3, iCloud before 6.1.1, iTunes before 12.5.5, and tvOS before 10.1.1, with the CVE text also describing remote exploitation through a crafted website. NVD’s CPE criteria additionally list WebKitGTK+ before 2.16.3.

Defensive priority

High — the issue is network-reachable, requires no privileges, and can lead to code execution or denial of service, so patching vulnerable Apple/WebKit installations should be prioritized.

Recommended defensive actions

• Upgrade iOS to 10.2.1 or later.
• Upgrade Safari to 10.0.3 or later.
• Upgrade iCloud for Windows to 6.1.1 or later.
• Upgrade iTunes for Windows to 12.5.5 or later.
• Upgrade tvOS to 10.1.1 or later.
• Review whether any WebKit-based components or linked products remain on vulnerable versions and remediate them through vendor guidance.
• Use the Apple security advisories and NVD record to confirm the exact fixed builds in your environment.

Evidence notes

The supplied CVE description states that the issue affects certain Apple products and involves the WebKit component, with remote attackers able to execute arbitrary code or cause denial of service via a crafted website. The NVD record provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and identifies CWE-119. The supplied NVD metadata lists affected version cutoffs for iOS, Safari, iCloud, iTunes, and tvOS, and also includes a WebKitGTK+ CPE criterion. No KEV entry is present in the supplied enrichment.

Official resources