About the security content of macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite
This document describes the security content of macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite
afclip
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-7016: riusksk (泉哥) of Tencent Security Platform Department
afclip
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7033: riusksk (泉哥) of Tencent Security Platform Department
AppleGraphicsControl
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13853: shrek_wzw from Qihoo 360 NirvanTeam
AppleGraphicsPowerManagement
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team
Audio
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7015: riusksk (泉哥) of Tencent Security Platform Department
Bluetooth
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7050: Min (Spark) Zheng of Alibaba Inc.
CVE-2017-7051: Alex Plaskett of MWR InfoSecurity
Bluetooth
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7054: Alex Plaskett of MWR InfoSecurity, Lufeng Li of Qihoo 360 Vulcan Team
Contacts
Available for: macOS Sierra 10.12.5
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-7062: Shashank (@cyberboyIndia)
CoreAudio
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
curl
Available for: macOS Sierra 10.12.5
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to version 7.54.0.
CVE-2016-9586
CVE-2016-9594
CVE-2017-2629
CVE-2017-7468
Foundation
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-7031: HappilyCoded (ant4g0nist and r3dsm0k3)
Font Importer
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-13850: John Villamil, Doyensec
Intel Graphics Driver
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7014: Lee of Minionz, Axis and sss of Qihoo 360 Nirvan Team
CVE-2017-7017: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7035: shrek_wzw of Qihoo 360 Nirvan Team
CVE-2017-7044: shrek_wzw of Qihoo 360 Nirvan Team
Intel Graphics Driver
Available for: macOS Sierra 10.12.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7036: shrek_wzw of Qihoo 360 Nirvan Team
CVE-2017-7045: shrek_wzw of Qihoo 360 Nirvan Team
IOUSBFamily
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7022: an anonymous researcher
CVE-2017-7024: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7023: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7025: an anonymous researcher
CVE-2017-7027: an anonymous researcher
CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team
Kernel
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7026: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7028: an anonymous researcher
CVE-2017-7029: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7067: shrek_wzw of Qihoo 360 Nirvan Team
kext tools
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7032: Axis and sss of Qihoo 360 Nirvan Team
libarchive
Available for: macOS Sierra 10.12.5
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
Description: A buffer overflow was addressed through improved bounds checking.
CVE-2017-7068: found by OSS-Fuzz
libxml2
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-7010: Apple
CVE-2017-7013: found by OSS-Fuzz
libxpc
Available for: macOS Sierra 10.12.5 and OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7047: Ian Beer of Google Project Zero
Wi-Fi
Available for: macOS Sierra 10.12.5
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7065: Gal Beniamini of Google Project Zero
Wi-Fi
Available for: macOS Sierra 10.12.5
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
Additional recognition
curl
We would like to acknowledge Dave Murdock of Tangerine Element for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.