About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
This document describes the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
apache
Available for: macOS Sierra 10.12.3
Impact: A remote attacker may be able to cause a denial of service
Description: Multiple issues existed in Apache before 2.4.25. These were addressed by updating Apache to version 2.4.25.
CVE-2016-0736
CVE-2016-2161
CVE-2016-5387
CVE-2016-8740
CVE-2016-8743
apache_mod_php
Available for: macOS Sierra 10.12.3
Impact: Multiple issues existed in PHP before 5.6.30
Description: Multiple issues existed in PHP before 5.6.30. These were addressed by updating PHP to version 5.6.30.
CVE-2016-10158
CVE-2016-10159
CVE-2016-10160
CVE-2016-10161
CVE-2016-9935
AppleGraphicsPowerManagement
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed through improved memory handling.
CVE-2017-2421: @cocoahuke
AppleRAID
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2438: sss and Axis of 360Nirvanteam
Audio
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2430: an anonymous researcher working with Trend Micro’s Zero Day Initiative
CVE-2017-2462: an anonymous researcher working with Trend Micro’s Zero Day Initiative
Bluetooth
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2017-2420: Pekka Oikarainen, Matias Karhumaa and Marko Laakso of Synopsys Software Integrity Group
Bluetooth
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2017-2427: Axis and sss of Qihoo 360 Nirvan Team
Bluetooth
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2449: sss and Axis from 360NirvanTeam
Carbon
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution
Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking.
CVE-2017-2379: riusksk (泉哥) of Tencent Security Platform Department, John Villamil, Doyensec
CoreGraphics
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: An infinite recursion was addressed through improved state management.
CVE-2017-2417: riusksk (泉哥) of Tencent Security Platform Department
CoreMedia
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted .mov file may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of .mov files. This issue was addressed through improved memory management.
CVE-2017-2431: kimyok of Tencent Security Platform Department
CoreText
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2435: John Villamil, Doyensec
CoreText
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: An out-of-bounds read was addressed through improved input validation.
CVE-2017-2450: John Villamil, Doyensec
CoreText
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted text message may lead to application denial of service
Description: A resource exhaustion issue was addressed through improved input validation.
CVE-2017-2461: Isaac Archambault of IDAoADI, an anonymous researcher
curl
Available for: macOS Sierra 10.12.3
Impact: Maliciously crafted user input to libcurl API may allow arbitrary code execution
Description: A buffer overflow was addressed through improved bounds checking.
CVE-2016-9586: Daniel Stenberg of Mozilla
EFI
Available for: macOS Sierra 10.12.3
Impact: A malicious Thunderbolt adapter may be able to recover the FileVault 2 encryption password
Description: An issue existed in the handling of DMA. This issue was addressed by enabling VT-d in EFI.
CVE-2016-7585: Ulf Frisk (@UlfFrisk)
FinderKit
Available for: macOS Sierra 10.12.3
Impact: Permissions may unexpectedly reset when sending links
Description: A permission issue existed in the handling of the Send Link feature of iCloud Sharing. This issue was addressed through improved permission controls.
CVE-2017-2429: Raymond Wong DO of Arnot Ogden Medical Center
FontParser
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2487: riusksk (泉哥) of Tencent Security Platform Department
CVE-2017-2406: riusksk (泉哥) of Tencent Security Platform Department
FontParser
Available for: macOS Sierra 10.12.3
Impact: Parsing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2017-2407: riusksk (泉哥) of Tencent Security Platform Department
FontParser
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: An out-of-bounds read was addressed through improved input validation.
CVE-2017-2439: John Villamil, Doyensec
FontParser
Available for: OS X El Capitan v10.11.6 and OS X Yosemite v10.10.5
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking.
CVE-2016-4688: Simon Huang of Alipay company
HTTPProtocol
Available for: macOS Sierra 10.12.3
Impact: A malicious HTTP/2 server may be able to cause undefined behavior
Description: Multiple issues existed in nghttp2 before 1.17.0. These were addressed by updating nghttp2 to version 1.17.0.
CVE-2017-2428
Hypervisor
Available for: macOS Sierra 10.12.3
Impact: Applications using the Hypervisor framework may unexpectedly leak the CR8 control register between guest and host
Description: An information leakage issue was addressed through improved state management.
CVE-2017-2418: Alex Fishman and Izik Eidus of Veertu Inc.
iBooks
Available for: macOS Sierra 10.12.3
Impact: Parsing a maliciously crafted iBooks file may lead to local file disclosure
Description: An information leak existed in the handling of file URLs. This issue was addressed through improved URL handling.
CVE-2017-2426: Craig Arendt of Stratum Security, Jun Kokatsu (@shhnjk)
ImageIO
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2416: Qidan He (何淇丹, @flanker_hqd) of KeenLab, Tencent
ImageIO
Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2432: an anonymous researcher working with Trend Micro's Zero Day Initiative
ImageIO
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2467
ImageIO
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to unexpected application termination
Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in ImageIO to version 4.0.7.
CVE-2016-3619
Intel Graphics Driver
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2443: Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: macOS Sierra 10.12.3
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2017-2489: Ian Beer of Google Project Zero
IOATAFamily
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2017-2408: Yangkang (@dnpushme) of Qihoo360 Qex Team
IOFireWireAVC
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2436: Orr A, IBM Security
IOFireWireAVC
Available for: macOS Sierra 10.12.3
Impact: A local attacker may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2437: Benjamin Gnahm (@mitp0sh) of Blue Frost Security
IOFireWireFamily
Available for: macOS Sierra 10.12.3
Impact: An application may be able to cause a denial of service
Description: A null pointer dereference was addressed through improved input validation.
CVE-2017-2388: Brandon Azad, an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2398: Lufeng Li of Qihoo 360 Vulcan Team
CVE-2017-2401: Lufeng Li of Qihoo 360 Vulcan Team
Kernel
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-2410: Apple
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An integer overflow was addressed through improved input validation.
CVE-2017-2440: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with root privileges
Description: A race condition was addressed through improved memory handling.
CVE-2017-2456: lokihardt of Google Project Zero
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2472: Ian Beer of Google Project Zero
Kernel
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-2473: Ian Beer of Google Project Zero
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An off-by-one issue was addressed through improved bounds checking.
CVE-2017-2474: Ian Beer of Google Project Zero
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed through improved locking.
CVE-2017-2478: Ian Beer of Google Project Zero
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-2482: Ian Beer of Google Project Zero
CVE-2017-2483: Ian Beer of Google Project Zero
Kernel
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with elevated privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2017-2490: Ian Beer of Google Project Zero, The UK's National Cyber Security Centre (NCSC)
Kernel
Available for: macOS Sierra 10.12.3
Impact: The screen may unexpectedly remain unlocked when the lid is closed
Description: An insufficient locking issue was addressed with improved state management.
CVE-2017-7070: Ed McKenzie
Keyboards
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code
Description: A buffer overflow was addressed through improved bounds checking.
CVE-2017-2458: Shashank (@cyberboyIndia)
Keychain
Available for: macOS Sierra 10.12.3
Impact: An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain.
Description: In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets. This issue was addressed through improved validation.
CVE-2017-2448: Alex Radocea of Longterm Security, Inc.
libarchive
Available for: macOS Sierra 10.12.3
Impact: A local attacker may be able to change file system permissions on arbitrary directories
Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.
CVE-2017-2390: Omer Medan of enSilo Ltd
libc++abi
Available for: macOS Sierra 10.12.3
Impact: Demangling a malicious C++ application may lead to arbitrary code execution
Description: A use after free issue was addressed through improved memory management.
CVE-2017-2441
LibreSSL
Available for: macOS Sierra 10.12.3 and OS X El Capitan v10.11.6
Impact: A local user may be able to leak sensitive user information
Description: A timing side channel allowed an attacker to recover keys. This issue was addressed by introducing constant time computation.
CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere University of Technology)
libxslt
Available for: OS X El Capitan v10.11.6
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-2477
libxslt
Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6, and Yosemite v10.10.5
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2017-5029: Holger Fuhrmannek
MCX Client
Available for: macOS Sierra 10.12.3
Impact: Removing a configuration profile with multiple payloads may not remove Active Directory certificate trust
Description: An issue existed in profile uninstallation. This issue was addressed through improved cleanup.
CVE-2017-2402: an anonymous researcher
Menus
Available for: macOS Sierra 10.12.3
Impact: An application may be able to disclose process memory
Description: An out-of-bounds read was addressed through improved input validation.
CVE-2017-2409: Sergey Bylokhov
Multi-Touch
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2017-2422: @cocoahuke
OpenSSH
Available for: macOS Sierra 10.12.3
Impact: Multiple issues in OpenSSH
Description: Multiple issues existed in OpenSSH before version 7.4. These were addressed by updating OpenSSH to version 7.4.
CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012
OpenSSL
Available for: macOS Sierra 10.12.3
Impact: A local user may be able to leak sensitive user information
Description: A timing side channel issue was addressed by using constant time computation.
CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere University of Technology)
Printing
Available for: macOS Sierra 10.12.3
Impact: Clicking a malicious IPP(S) link may lead to arbitrary code execution
Description: An uncontrolled format string issue was addressed through improved input validation.
CVE-2017-2403: beist of GrayHash
python
Available for: macOS Sierra 10.12.3
Impact: Processing maliciously crafted zip archives with Python may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of zip archives. This issue was addressed through improved input validation.
CVE-2016-5636
QuickTime
Available for: macOS Sierra 10.12.3
Impact: Viewing a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in QuickTime. This issue was addressed through improved memory handling.
CVE-2017-2413: Simon Huang(@HuangShaomang) and pjf of IceSword Lab of Qihoo 360
Security
Available for: macOS Sierra 10.12.3
Impact: Validating empty signatures with SecKeyRawVerify() may unexpectedly succeed
Description: An validation issue existed with cryptographic API calls. This issue was addressed through improved parameter validation.
CVE-2017-2423: an anonymous researcher
Security
Available for: macOS Sierra 10.12.3
Impact: An application may be able to execute arbitrary code with root privileges
Description: A buffer overflow was addressed through improved bounds checking.
CVE-2017-2451: Alex Radocea of Longterm Security, Inc.
Security
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted x509 certificate may lead to arbitrary code execution
Description: A memory corruption issue existed in the parsing of certificates. This issue was addressed through improved input validation.
CVE-2017-2485: Aleksandar Nikolic of Cisco Talos
SecurityFoundation
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution
Description: A double free issue was addressed through improved memory management.
CVE-2017-2425: kimyok of Tencent Security Platform Department
sudo
Available for: macOS Sierra 10.12.3
Impact: A user in an group named "admin" on a network directory server may be able to unexpectedly escalate privileges using sudo
Description: An access issue existed in sudo. This issue was addressed through improved permissions checking.
CVE-2017-2381
System Integrity Protection
Available for: macOS Sierra 10.12.3
Impact: A malicious application may be able to modify protected disk locations
Description: A validation issue existed in the handling of system installation. This issue was addressed through improved handling and validation during the installation process.
CVE-2017-6974: Patrick Wardle of Synack
tcpdump
Available for: macOS Sierra 10.12.3
Impact: An attacker in a privileged network position may be able to execute arbitrary code with user assistance
Description: Multiple issues existed in tcpdump before 4.9.0. These were addressed by updating tcpdump to version 4.9.0.
CVE-2016-7922
CVE-2016-7923
CVE-2016-7924
CVE-2016-7925
CVE-2016-7926
CVE-2016-7927
CVE-2016-7928
CVE-2016-7929
CVE-2016-7930
CVE-2016-7931
CVE-2016-7932
CVE-2016-7933
CVE-2016-7934
CVE-2016-7935
CVE-2016-7936
CVE-2016-7937
CVE-2016-7938
CVE-2016-7939
CVE-2016-7940
CVE-2016-7973
CVE-2016-7974
CVE-2016-7975
CVE-2016-7983
CVE-2016-7984
CVE-2016-7985
CVE-2016-7986
CVE-2016-7992
CVE-2016-7993
CVE-2016-8574
CVE-2016-8575
CVE-2017-5202
CVE-2017-5203
CVE-2017-5204
CVE-2017-5205
CVE-2017-5341
CVE-2017-5342
CVE-2017-5482
CVE-2017-5483
CVE-2017-5484
CVE-2017-5485
CVE-2017-5486
tiffutil
Available for: macOS Sierra 10.12.3
Impact: Processing a maliciously crafted image may lead to unexpected application termination
Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in AKCmds to version 4.0.7.
CVE-2016-3619
CVE-2016-9533
CVE-2016-9535
CVE-2016-9536
CVE-2016-9537
CVE-2016-9538
CVE-2016-9539
CVE-2016-9540
Additional recognition
XNU
We would like to acknowledge Lufeng Li of Qihoo 360 Vulcan Team for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.