CVE-2017-2360 Apple CVE debrief

Who should care

Apple device fleet administrators, MDM and endpoint security teams, and users or organizations running affected iOS, macOS, tvOS, or watchOS versions should prioritize this issue.

Technical summary

The NVD record classifies the weakness as CWE-416 (use-after-free) with CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The affected versions listed in the record are iOS before 10.2.1, macOS before 10.12.3, tvOS before 10.1.1, and watchOS before 3.1.3. The flaw is in the Kernel component, and NVD states that a crafted app may trigger privileged code execution or denial of service.

Defensive priority

High

Recommended defensive actions

• Upgrade iOS devices to 10.2.1 or later.
• Upgrade macOS systems to 10.12.3 or later.
• Upgrade tvOS devices to 10.1.1 or later.
• Upgrade watchOS devices to 3.1.3 or later.
• Use MDM or compliance tooling to identify and remediate devices below the fixed versions.
• Review app installation and distribution controls on affected fleets until patching is complete.

Evidence notes

This debrief is based on the supplied CVE record and NVD metadata. The published CVE date is 2017-02-20, and the later modified date is not treated as the disclosure date. NVD lists CWE-416 and the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and it references Apple vendor advisories for the fixed version thresholds.

Official resources