An issue exists in certain Apple products. iOS prior to 10.3 is affected. Safari prior to 10.1 is affected. The issue involves the "WebKit" component. It allows remote malicious users to bypass a Content Security Policy protection mechanism via unspecified vectors.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apple safari |
||
apple iphone os |
Tells Cisco's Talos it's a feature, not a bug. Apple and Google disagree and fixed it
Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch? Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft". Grødum posted news of Microsoft's attitude here, explaining that if you use Chrome 57.0.2987.98 or later, you're already protected against CVE-2017-5033. Ditto users of iOS later than 10.3 and Safari lat...