About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite

This document describes the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.

Apple security documents reference vulnerabilities by CVE-ID when possible.

macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite

Released March 27, 2017

apache

Available for: macOS Sierra 10.12.3

Impact: A remote attacker may be able to cause a denial of service

Description: Multiple issues existed in Apache before 2.4.25. These were addressed by updating Apache to version 2.4.25.

CVE-2016-0736

CVE-2016-2161

CVE-2016-5387

CVE-2016-8740

CVE-2016-8743

Entry updated March 28, 2017

apache_mod_php

Available for: macOS Sierra 10.12.3

Impact: Multiple issues existed in PHP before 5.6.30

Description: Multiple issues existed in PHP before 5.6.30. These were addressed by updating PHP to version 5.6.30.

CVE-2016-10158

CVE-2016-10159

CVE-2016-10160

CVE-2016-10161

CVE-2016-9935

AppleGraphicsPowerManagement

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed through improved memory handling.

CVE-2017-2421: @cocoahuke

AppleRAID

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed through improved memory management.

CVE-2017-2438: sss and Axis of 360Nirvanteam

Audio

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2430: an anonymous researcher working with Trend Micro’s Zero Day Initiative

CVE-2017-2462: an anonymous researcher working with Trend Micro’s Zero Day Initiative

Bluetooth

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2017-2420: Pekka Oikarainen, Matias Karhumaa and Marko Laakso of Synopsys Software Integrity Group

Bluetooth

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2017-2427: Axis and sss of Qihoo 360 Nirvan Team

Bluetooth

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed through improved memory management.

CVE-2017-2449: sss and Axis from 360NirvanTeam

Carbon

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution

Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking.

CVE-2017-2379: riusksk (泉哥) of Tencent Security Platform Department, John Villamil, Doyensec

CoreGraphics

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: An infinite recursion was addressed through improved state management.

CVE-2017-2417: riusksk (泉哥) of Tencent Security Platform Department

CoreMedia

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted .mov file may lead to arbitrary code execution

Description: A memory corruption issue existed in the handling of .mov files. This issue was addressed through improved memory management.

CVE-2017-2431: kimyok of Tencent Security Platform Department

CoreText

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2435: John Villamil, Doyensec

CoreText

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed through improved input validation.

CVE-2017-2450: John Villamil, Doyensec

CoreText

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted text message may lead to application denial of service

Description: A resource exhaustion issue was addressed through improved input validation.

CVE-2017-2461: Isaac Archambault of IDAoADI, an anonymous researcher

curl

Available for: macOS Sierra 10.12.3

Impact: Maliciously crafted user input to libcurl API may allow arbitrary code execution

Description: A buffer overflow was addressed through improved bounds checking.

CVE-2016-9586: Daniel Stenberg of Mozilla

EFI

Available for: macOS Sierra 10.12.3

Impact: A malicious Thunderbolt adapter may be able to recover the FileVault 2 encryption password

Description: An issue existed in the handling of DMA. This issue was addressed by enabling VT-d in EFI.

CVE-2016-7585: Ulf Frisk (@UlfFrisk)

FinderKit

Available for: macOS Sierra 10.12.3

Impact: Permissions may unexpectedly reset when sending links

Description: A permission issue existed in the handling of the Send Link feature of iCloud Sharing. This issue was addressed through improved permission controls.

CVE-2017-2429

FontParser

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved input validation.

CVE-2017-2487: riusksk (泉哥) of Tencent Security Platform Department

CVE-2017-2406: riusksk (泉哥) of Tencent Security Platform Department

FontParser

Available for: macOS Sierra 10.12.3

Impact: Parsing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved input validation.

CVE-2017-2407: riusksk (泉哥) of Tencent Security Platform Department

FontParser

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed through improved input validation.

CVE-2017-2439: John Villamil, Doyensec

FontParser

Available for: OS X El Capitan v10.11.6 and OS X Yosemite v10.10.5

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution 

Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking.

CVE-2016-4688: Simon Huang of Alipay company

Entry added April 11, 2017

HTTPProtocol

Available for: macOS Sierra 10.12.3

Impact: A malicious HTTP/2 server may be able to cause undefined behavior

Description: Multiple issues existed in nghttp2 before 1.17.0. These were addressed by updating nghttp2 to version 1.17.0.

CVE-2017-2428

Entry updated March 28, 2017

Hypervisor

Available for: macOS Sierra 10.12.3

Impact: Applications using the Hypervisor framework may unexpectedly leak the CR8 control register between guest and host

Description: An information leakage issue was addressed through improved state management.

CVE-2017-2418: Alex Fishman and Izik Eidus of Veertu Inc.

iBooks

Available for: macOS Sierra 10.12.3

Impact: Parsing a maliciously crafted iBooks file may lead to local file disclosure

Description: An information leak existed in the handling of file URLs. This issue was addressed through improved URL handling.

CVE-2017-2426: Craig Arendt of Stratum Security, Jun Kokatsu (@shhnjk)

ImageIO

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2416: Qidan He (何淇丹, @flanker_hqd) of KeenLab, Tencent

ImageIO

Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2432: an anonymous researcher working with Trend Micro's Zero Day Initiative

ImageIO

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2467

ImageIO

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted image may lead to unexpected application termination

Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in ImageIO to version 4.0.7.

CVE-2016-3619

Intel Graphics Driver

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges 

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2443: Ian Beer of Google Project Zero

Intel Graphics Driver

Available for: macOS Sierra 10.12.3

Impact: An application may be able to disclose kernel memory

Description: A validation issue was addressed through improved input sanitization.

CVE-2017-2489: Ian Beer of Google Project Zero

Entry added March 31, 2017

IOATAFamily

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2017-2408: Yangkang (@dnpushme) of Qihoo360 Qex Team

IOFireWireAVC

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2436: Orr A, IBM Security

IOFireWireAVC

Available for: macOS Sierra 10.12.3

Impact: A local attacker may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2437: Benjamin Gnahm (@mitp0sh) of Blue Frost Security

IOFireWireFamily

Available for: macOS Sierra 10.12.3

Impact: An application may be able to cause a denial of service

Description: A null pointer dereference was addressed through improved input validation.

CVE-2017-2388: Brandon Azad, an anonymous researcher

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2398: Lufeng Li of Qihoo 360 Vulcan Team

CVE-2017-2401: Lufeng Li of Qihoo 360 Vulcan Team

Kernel

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.

CVE-2017-2410: Apple

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2017-2440: an anonymous researcher

Kernel

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with root privileges

Description: A race condition was addressed through improved memory handling.

CVE-2017-2456: lokihardt of Google Project Zero

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed through improved memory management.

CVE-2017-2472: Ian Beer of Google Project Zero

Kernel

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-2473: Ian Beer of Google Project Zero

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An off-by-one issue was addressed through improved bounds checking.

CVE-2017-2474: Ian Beer of Google Project Zero

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed through improved locking.

CVE-2017-2478: Ian Beer of Google Project Zero

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed through improved memory handling.

CVE-2017-2482: Ian Beer of Google Project Zero

CVE-2017-2483: Ian Beer of Google Project Zero

Kernel

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with elevated privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2017-2490: Ian Beer of Google Project Zero, The UK's National Cyber Security Centre (NCSC)

Entry added March 31, 2017

Keyboards

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code

Description: A buffer overflow was addressed through improved bounds checking.

CVE-2017-2458: Shashank (@cyberboyIndia)

Keychain

Available for: macOS Sierra 10.12.3

Impact: An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain.

Description: In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets. This issue was addressed through improved validation.

CVE-2017-2448: Alex Radocea of Longterm Security, Inc.

Entry updated March 30, 2017

libarchive

Available for: macOS Sierra 10.12.3

Impact: A local attacker may be able to change file system permissions on arbitrary directories

Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.

CVE-2017-2390: Omer Medan of enSilo Ltd

libc++abi

Available for: macOS Sierra 10.12.3

Impact: Demangling a malicious C++ application may lead to arbitrary code execution

Description: A use after free issue was addressed through improved memory management.

CVE-2017-2441

LibreSSL

Available for: macOS Sierra 10.12.3 and OS X El Capitan v10.11.6

Impact: A local user may be able to leak sensitive user information

Description: A timing side channel allowed an attacker to recover keys. This issue was addressed by introducing constant time computation.

CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere University of Technology)

libxslt

Available for: OS X El Capitan v10.11.6

Impact: Multiple vulnerabilities in libxslt

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2017-2477

Entry added March 30, 2017

libxslt

Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6, and Yosemite v10.10.5

Impact: Multiple vulnerabilities in libxslt

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2017-5029: Holger Fuhrmannek

Entry added March 28, 2017

MCX Client

Available for: macOS Sierra 10.12.3

Impact: Removing a configuration profile with multiple payloads may not remove Active Directory certificate trust

Description: An issue existed in profile uninstallation. This issue was addressed through improved cleanup.

CVE-2017-2402: an anonymous researcher

Menus

Available for: macOS Sierra 10.12.3

Impact: An application may be able to disclose process memory

Description: An out-of-bounds read was addressed through improved input validation.

CVE-2017-2409: Sergey Bylokhov

Multi-Touch

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2017-2422: @cocoahuke

OpenSSH

Available for: macOS Sierra 10.12.3

Impact: Multiple issues in OpenSSH

Description: Multiple issues existed in OpenSSH before version 7.4. These were addressed by updating OpenSSH to version 7.4.

CVE-2016-10009

CVE-2016-10010

CVE-2016-10011

CVE-2016-10012

OpenSSL

Available for: macOS Sierra 10.12.3

Impact: A local user may be able to leak sensitive user information

Description: A timing side channel issue was addressed by using constant time computation.

CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere University of Technology)

Printing

Available for: macOS Sierra 10.12.3

Impact: Clicking a malicious IPP(S) link may lead to arbitrary code execution

Description: An uncontrolled format string issue was addressed through improved input validation.

CVE-2017-2403: beist of GrayHash

python

Available for: macOS Sierra 10.12.3

Impact: Processing maliciously crafted zip archives with Python may lead to arbitrary code execution

Description: A memory corruption issue existed in the handling of zip archives. This issue was addressed through improved input validation.

CVE-2016-5636

QuickTime

Available for: macOS Sierra 10.12.3

Impact: Viewing a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue existed in QuickTime. This issue was addressed through improved memory handling.

CVE-2017-2413: Simon Huang(@HuangShaomang) and pjf of IceSword Lab of Qihoo 360

Security

Available for: macOS Sierra 10.12.3

Impact: Validating empty signatures with SecKeyRawVerify() may unexpectedly succeed

Description: An validation issue existed with cryptographic API calls. This issue was addressed through improved parameter validation.

CVE-2017-2423: an anonymous researcher

Security

Available for: macOS Sierra 10.12.3

Impact: An application may be able to execute arbitrary code with root privileges

Description: A buffer overflow was addressed through improved bounds checking.

CVE-2017-2451: Alex Radocea of Longterm Security, Inc.

Security

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted x509 certificate may lead to arbitrary code execution

Description: A memory corruption issue existed in the parsing of certificates. This issue was addressed through improved input validation.

CVE-2017-2485: Aleksandar Nikolic of Cisco Talos

SecurityFoundation

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

Description: A double free issue was addressed through improved memory management.

CVE-2017-2425: kimyok of Tencent Security Platform Department

sudo

Available for: macOS Sierra 10.12.3

Impact: A user in an group named "admin" on a network directory server may be able to unexpectedly escalate privileges using sudo

Description: An access issue existed in sudo. This issue was addressed through improved permissions checking.

CVE-2017-2381

System Integrity Protection

Available for: macOS Sierra 10.12.3

Impact: A malicious application may be able to modify protected disk locations

Description: A validation issue existed in the handling of system installation. This issue was addressed through improved handling and validation during the installation process.

CVE-2017-6974: Patrick Wardle of Synack

tcpdump

Available for: macOS Sierra 10.12.3

Impact: An attacker in a privileged network position may be able to execute arbitrary code with user assistance

Description: Multiple issues existed in tcpdump before 4.9.0. These were addressed by updating tcpdump to version 4.9.0.

CVE-2016-7922

CVE-2016-7923

CVE-2016-7924

CVE-2016-7925

CVE-2016-7926

CVE-2016-7927

CVE-2016-7928

CVE-2016-7929

CVE-2016-7930

CVE-2016-7931

CVE-2016-7932

CVE-2016-7933

CVE-2016-7934

CVE-2016-7935

CVE-2016-7936

CVE-2016-7937

CVE-2016-7938

CVE-2016-7939

CVE-2016-7940

CVE-2016-7973

CVE-2016-7974

CVE-2016-7975

CVE-2016-7983

CVE-2016-7984

CVE-2016-7985

CVE-2016-7986

CVE-2016-7992

CVE-2016-7993

CVE-2016-8574

CVE-2016-8575

CVE-2017-5202

CVE-2017-5203

CVE-2017-5204

CVE-2017-5205

CVE-2017-5341

CVE-2017-5342

CVE-2017-5482

CVE-2017-5483

CVE-2017-5484

CVE-2017-5485

CVE-2017-5486

tiffutil

Available for: macOS Sierra 10.12.3

Impact: Processing a maliciously crafted image may lead to unexpected application termination

Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in AKCmds to version 4.0.7.

CVE-2016-3619

CVE-2016-9533

CVE-2016-9535

CVE-2016-9536

CVE-2016-9537

CVE-2016-9538

CVE-2016-9539

CVE-2016-9540

macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite includes the security content of Safari 10.1.

Additional recognition

XNU

We would like to acknowledge Lufeng Li of Qihoo 360 Vulcan Team for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: