About the security content of macOS Sierra 10.12

This document describes the security content of macOS Sierra 10.12.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.

Apple security documents reference vulnerabilities by CVE-ID when possible.

macOS Sierra 10.12

apache

Available for: OS X Lion v10.7.5 and later

Impact: A remote attacker may be able to proxy traffic through an arbitrary server

Description: An issue existed in the handling of the HTTP_PROXY environment variable. This issue was addressed by not setting the HTTP_PROXY environment variable from CGI.

CVE-2016-4694: Dominic Scheirlinck and Scott Geary of Vend

apache_mod_php

Available for: OS X Lion v10.7.5 and later

Impact: Multiple issues in PHP, the most significant of which may lead to unexpected application termination or arbitrary code execution.

Description: Multiple issues in PHP were addressed by updating PHP to version 5.6.24.

CVE-2016-5768

CVE-2016-5769

CVE-2016-5770

CVE-2016-5771

CVE-2016-5772

CVE-2016-5773

CVE-2016-6174

CVE-2016-6288

CVE-2016-6289

CVE-2016-6290

CVE-2016-6291

CVE-2016-6292

CVE-2016-6294

CVE-2016-6295

CVE-2016-6296

CVE-2016-6297

Apple HSSPI Support

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4697: Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative

AppleEFIRuntime

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A null pointer dereference was addressed through improved input validation.

CVE-2016-4696: Shrek_wzw of Qihoo 360 Nirvan Team

AppleMobileFileIntegrity

Available for: OS X Lion v10.7.5 and later

Impact: A local application may be able to execute arbitrary code with system privileges

Description: A validation issue existed in the task port inheritance policy. This issue was addressed through improved validation of the process entitlement and Team ID.

CVE-2016-4698: Pedro Vilaça

AppleUUC

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved input validation.

CVE-2016-4699: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro's Zero Day Initiative

CVE-2016-4700: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro’s Zero Day Initiative

Application Firewall

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to cause a denial of service

Description: A validation issue existed in the handling of firewall prompts. This issue was addressed through improved validation of SO_EXECPATH.

CVE-2016-4701: Meder Kydyraliev Google Security Team

ATS

Available for: OS X Lion v10.7.5 and later

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4779: riusksk of Tencent Security Platform Department

Audio

Available for: OS X Lion v10.7.5 and later

Impact: A remote attacker may be able to execute arbitrary code

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4702: YoungJin Yoon, MinSik Shin, HoJae Han, Sunghyun Park, and Taekyoung Kwon of Information Security Lab, Yonsei University.

Bluetooth

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-2016-4703: Juwei Lin (@fuzzerDOTcn) of Trend Micro

cd9660

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to cause a system denial of service

Description: An input validation issue was addressed through improved memory handling.

CVE-2016-4706: Recurity Labs on behalf of BSI (German Federal Office for Information Security)

CFNetwork

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to discover websites a user has visited

Description: An issue existed in Local Storage deletion. This issue was addressed through improved Local Storage cleanup.

CVE-2016-4707: an anonymous researcher

CFNetwork

Available for: OS X Lion v10.7.5 and later

Impact: Processing maliciously crafted web content may compromise user information

Description: An input validation issue existed in the parsing of the set-cookie header. This issue was addressed through improved validation checking.

CVE-2016-4708: Dawid Czagan of Silesia Security Lab

CommonCrypto

Available for: OS X Lion v10.7.5 and later

Impact: An application using CCrypt may disclose sensitive plaintext if the output and input buffer are the same

Description: An input validation issue existed in corecrypto. This issue was addressed through improved input validation.

CVE-2016-4711: Max Lohrmann

CoreCrypto

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code

Description: An out-of-bounds write issue was addressed by removing the vulnerable code.

CVE-2016-4712: Gergo Koteles

CoreDisplay

Available for: OS X Lion v10.7.5 and later

Impact: A user with screen sharing access may be able to view another user's screen

Description: A session management issue existed in the handling of screen sharing sessions. This issue was addressed through improved session tracking.

CVE-2016-4713: Ruggero Alberti

curl

Available for: OS X Lion v10.7.5 and later

Impact: Multiple issues in curl

Description: Multiple security issues existed in curl prior to version 7.49.1. These issues were addressed by updating curl to version 7.49.1.

CVE-2016-0755: Isaac Boukris

Date & Time Pref Pane

Available for: OS X Lion v10.7.5 and later

Impact: A malicious application may be able to determine a user's current location

Description: An issue existed in the handling of the .GlobalPreferences file. This was addressed though improved validation.

CVE-2016-4715: Taiki (@Taiki__San) at ESIEA (Paris)

DiskArbitration

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to execute arbitrary code with system privileges

Description: An access issue existed in diskutil. This issue was addressed through improved permissions checking.

CVE-2016-4716: Alexander Allen of The North Carolina School of Science and Mathematics

File Bookmark

Available for: OS X Lion v10.7.5 and later

Impact: A local application may be able to cause a denial of service

Description: A resource management issue existed in the handling of scoped bookmarks. This issue was addressed through improved file descriptor handling.

CVE-2016-4717: Tom Bradley of 71Squared Ltd

FontParser

Available for: OS X Lion v10.7.5 and later

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking.

CVE-2016-4718: Apple

IDS - Connectivity

Available for: OS X Lion v10.7.5 and later

Impact: An attacker in a privileged network position may be able to cause a denial of service

Description: A spoofing issue existed in the handling of Call Relay. This issue was addressed through improved input validation.

CVE-2016-4722: Martin Vigo (@martin_vigo) of salesforce.com

ImageIO

Available for: OS X Lion v10.7.5 and later

Impact: Processing maliciously crafted image may result in the disclosure of process memory

Description: An out-of-bounds read issue existed in the SGI image parsing. This issue was addressed through improved bounds checking.

CVE-2016-4682: Ke Liu of Tencent's Xuanwu Lab

Intel Graphics Driver

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4723: daybreaker of Minionz

Intel Graphics Driver

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed through improved memory management.

CVE-2016-7582: Liang Chen of Tencent KeenLab

IOAcceleratorFamily

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A null pointer dereference was addressed through improved input validation.

CVE-2016-4724: Cererdlong, Eakerqiu of Team OverSky

IOAcceleratorFamily

Available for: OS X Lion v10.7.5 and later

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: A memory corruption issue was addressed through improved input validation.

CVE-2016-4725: Rodger Combs of Plex, Inc

IOAcceleratorFamily

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4726: an anonymous researcher

IOThunderboltFamily

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4727: wmin working with Trend Micros Zero Day Initiative

Kerberos v5 PAM module

Available for: OS X Lion v10.7.5 and later

Impact: A remote attacker may determine the existence of user accounts

Description: A timing side channel allowed an attacker to determine the existence of user accounts on a system. This issue was addressed by introducing constant time checks.

CVE-2016-4745: an anonymous researcher

Kernel

Available for: OS X Lion v10.7.5 and later

Impact: A local application may be able to access restricted files

Description: A parsing issue in the handling of directory paths was addressed through improved path validation.

CVE-2016-4771: Balazs Bucsay, Research Director of MRG Effitas

Kernel

Available for: OS X Lion v10.7.5 and later

Impact: A remote attacker may be able to cause a denial of service

Description: A lock handling issue was addressed through improved lock handling.

CVE-2016-4772: Marc Heuse of mh-sec

Kernel

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to determine kernel memory layout

Description: Multiple out-of-bounds read issues existed that led to the disclosure of kernel memory. These were addressed through improved input validation.

CVE-2016-4773: Brandon Azad

CVE-2016-4774: Brandon Azad

CVE-2016-4776: Brandon Azad

Kernel

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4775: Brandon Azad

Kernel

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An untrusted pointer dereference was addressed by removing the affected code.

CVE-2016-4777: Lufeng Li of Qihoo 360 Vulcan Team

Kernel

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4778: CESG

libarchive

Available for: OS X Lion v10.7.5 and later

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation.

CVE-2016-4736: Proteas of Qihoo 360 Nirvan Team

libxml2

Available for: OS X Lion v10.7.5 and later

Impact: Multiple issues in libxml2, the most significant of which may lead to unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4658: Nick Wellnhofer

CVE-2016-5131: Nick Wellnhofer

libxpc

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to break out of its sandbox

Description: Multiple weaknesses existed with spawning new processes using launchctl. These issues were addressed through improved policy enforcement.

CVE-2016-4617: Gregor Kopf of Recurity Labs on behalf of BSI (German Federal Office for Information Security)

libxslt

Available for: OS X Lion v10.7.5 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4738: Nick Wellnhofer

Mail

Available for: OS X Lion v10.7.5 and later

Impact: A malicious website may be able to cause a denial-of-service

Description: A denial of service issue was addressed through improved URL handling.

CVE-2016-7580: Sabri Haddouche (@pwnsdx)

mDNSResponder

Available for: OS X Lion v10.7.5 and later

Impact: A remote attacker may be able to view sensitive information

Description: Applications using VMnet.framework enabled a DNS proxy listening on all network interfaces. This issue was addressed by restricting DNS query responses to local interfaces.

CVE-2016-4739: Magnus Skjegstad, David Scott and Anil Madhavapeddy from Docker, Inc.

NSSecureTextField

Available for: OS X Lion v10.7.5 and later

Impact: A malicious application may be able to leak a user's credentials

Description: A state management issue existed in NSSecureTextField, which failed to enable Secure Input. This issue was addressed through improved window management.

CVE-2016-4742: Rick Fillion of AgileBits, Daniel Jalkut of Red Sweater Software

Perl

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to bypass the taint protection mechanism

Description: An issue existed in the parsing of environment variables. This issue was addressed through improved validation of environment variables.

CVE-2016-4748: Stephane Chazelas

S2 Camera

Available for: OS X Lion v10.7.5 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4750: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro’s Zero Day Initiative

Security

Available for: OS X Lion v10.7.5 and later

Impact: An application using SecKeyDeriveFromPassword may leak memory

Description: A resource management issue existed in the handling of key derivation. This issue was addressed by adding CF_RETURNS_RETAINED to SecKeyDeriveFromPassword.

CVE-2016-4752: Mark Rogers of PowerMapper Software

Security

Available for: OS X Lion v10.7.5 and later

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A validation issue existed in signed disk images. This issue was addressed through improved size validation.

CVE-2016-4753: Mark Mentovai of Google Inc.

Terminal

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to leak sensitive user information

Description: A permissions issue existed in .bash_history and .bash_session. This issue was addressed through improved access restrictions.

CVE-2016-4755: Axel Luttgens

WindowServer

Available for: OS X Lion v10.7.5 and later

Impact: A local user may be able to gain root privileges

Description: A type confusion issue was addressed through improved memory handling.

CVE-2016-4709: an anonymous researcher working with Trend Micro's Zero Day Initiative

CVE-2016-4710: an anonymous researcher working with Trend Micro's Zero Day Initiative