About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002

This document describes the security content of OS X El Capitan v10.11.4 and Security Update 2016-002.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

OS X El Capitan 10.11.4 and Security Update 2016-002

  • apache_mod_php

    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution

    Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.

    CVE-ID

    CVE-2015-8126 : Adam Mariš

    CVE-2015-8472 : Adam Mariš

  • AppleRAID

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue was addressed through improved input validation.

    CVE-ID

    CVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team

  • AppleRAID

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A local user may be able to determine kernel memory layout

    Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.

    CVE-ID

    CVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team

  • AppleUSBNetworking

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A USB device may be able to cause a denial of service

    Description: An error handling issue existed in packet validation. This issue was addressed through improved error handling.

    CVE-ID

    CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path

  • Bluetooth

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1735 : Jeonghoon Shin@A.D.D

    CVE-2016-1736 : beist and ABH of BoB

  • Carbon

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.

    CVE-ID

    CVE-2016-1737 : HappilyCoded (ant4g0nist &r3dsm0k3)

  • dyld

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An attacker may tamper with code-signed applications to execute arbitrary code in the application's context

    Description: A code signing verification issue existed in dyld. This issue was addressed with improved validation.

    CVE-ID

    CVE-2016-1738 : beist and ABH of BoB

  • FontParser

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue was addressed through improved memory handling.

    CVE-ID

    CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro's Zero Day Initiative (ZDI)

  • HTTPProtocol

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A remote attacker may be able to execute arbitrary code

    Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.

    CVE-ID

    CVE-2015-8659

  • Intel Graphics Driver

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1743 : Piotr Bania of Cisco Talos

    CVE-2016-1744 : Ian Beer of Google Project Zero

  • IOFireWireFamily

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A local user may be able to cause a denial of service

    Description: A null pointer dereference was addressed through improved validation.

    CVE-ID

    CVE-2016-1745 : sweetchip of Grayhash

  • IOGraphics

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue was addressed through improved input validation.

    CVE-ID

    CVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)

    CVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)

  • IOHIDFamily

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to determine kernel memory layout

    Description: A memory corruption issue was addressed through improved memory handling.

    CVE-ID

    CVE-2016-1748 : Brandon Azad

  • IOUSBFamily

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)

  • Kernel

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: A use after free issue was addressed through improved memory management.

    CVE-ID

    CVE-2016-1750 : CESG

  • Kernel

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: A race condition existed during the creation of new processes. This was addressed through improved state handling.

    CVE-ID

    CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaça

  • Kernel

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: A null pointer dereference was addressed through improved input validation.

    CVE-ID

    CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team

  • Kernel

    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2016-1755 : Ian Beer of Google Project Zero

    CVE-2016-1759 : lokihardt

  • Kernel

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to determine kernel memory layout

    Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.

    CVE-ID

    CVE-2016-1758 : Brandon Azad

  • Kernel

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: Multiple integer overflows were addressed through improved input validation.

    CVE-ID

    CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)

  • Kernel

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to cause a denial of service

    Description: A denial of service issue was addressed through improved validation.

    CVE-ID

    CVE-2016-1752 : CESG

  • libxml2

    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

    Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-1819

    CVE-2015-5312 : David Drysdale of Google

    CVE-2015-7499

    CVE-2015-7500 : Kostya Serebryany of Google

    CVE-2015-7942 : Kostya Serebryany of Google

    CVE-2015-8035 : gustavo.grieco

    CVE-2015-8242 : Hugh Davenport

    CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day Initiative (ZDI)

    CVE-2016-1762

  • Messages

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Clicking a JavaScript link can reveal sensitive user information

    Description: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks.

    CVE-ID

    CVE-2016-1764 : Matthew Bryant of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox

  • Messages

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments

    Description: A cryptographic issue was addressed by rejecting duplicate messages on the client.

    CVE-ID

    CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University

  • NVIDIA Graphics Drivers

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1741 : Ian Beer of Google Project Zero

  • OpenSSH

    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

    Impact: Connecting to a server may leak sensitive user information, such as a client's private keys

    Description: Roaming, which was on by default in the OpenSSH client, exposed an information leak and a buffer overflow. These issues were addressed by disabling roaming in the client.

    CVE-ID

    CVE-2016-0777 : Qualys

    CVE-2016-0778 : Qualys

  • OpenSSH

    Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5

    Impact: Multiple vulnerabilities in LibreSSL

    Description: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8.

    CVE-ID

    CVE-2015-5333 : Qualys

    CVE-2015-5334 : Qualys

  • OpenSSL

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A remote attacker may be able to cause a denial of service

    Description: A memory leak existed in OpenSSL versions prior to 0.9.8zh. This issue was addressed by updating OpenSSL to version 0.9.8zh.

    CVE-ID

    CVE-2015-3195

  • Python

    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution

    Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.

    CVE-ID

    CVE-2014-9495

    CVE-2015-0973

    CVE-2015-8126 : Adam Mariš

    CVE-2015-8472 : Adam Mariš

  • QuickTime

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1767 : Francis Provencher from COSIG

    CVE-2016-1768 : Francis Provencher from COSIG

  • QuickTime

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues were addressed through improved memory handling.

    CVE-ID

    CVE-2016-1769 : Francis Provencher from COSIG

  • Reminders

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Clicking a tel link can make a call without prompting the user

    Description: A user was not prompted before invoking a call. This was addressed through improved entitlement checks.

    CVE-ID

    CVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of Laurent.ca

  • Ruby

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

    Description: An unsafe tainted string usage vulnerability existed in versions prior to 2.0.0-p648. This issue was addressed by updating to version 2.0.0-p648.

    CVE-ID

    CVE-2015-7551

  • Security

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: A local user may be able to check for the existence of arbitrary files

    Description: A permissions issue existed in code signing tools. This was addressed though additional ownership checks.

    CVE-ID

    CVE-2016-1773 : Mark Mentovai of Google Inc.

  • Security

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

    Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2016-1950 : Francis Gabriel of Quarkslab

  • Tcl

    Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution

    Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by removing libpng.

    CVE-ID

    CVE-2015-8126

  • TrueTypeScaler

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI)

  • Wi-Fi

    Available for: OS X El Capitan v10.11 to v10.11.3

    Impact: An attacker with a privileged network position may be able to execute arbitrary code

    Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.

    CVE-ID

    CVE-2016-0801 : an anonymous researcher

    CVE-2016-0802 : an anonymous researcher

OS X El Capitan 10.11.4 includes the security content of Safari 9.1.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: