Security News

Apple Releases macOS Sierra 10.12.1 and More with Security Fixes

Posted on October 24th, 2016 by

 

Apple Software Security Updates

Today, Apple released software updates with security fixes for just about all of its products: macOS, iOS, watchOS, tvOS and Safari. Apple’s security updates are available for all Apple Watch models, iPhone 5 and later, iPad (4th generation and later), iPod touch (6th generation and later), Apple TV (4th generation), OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.

One of the best things you can do to secure your computer is to keep your software up to date, because software vulnerabilities tend to be the easiest point of entry for hackers to circumvent your defenses. For this reason alone, it’s imperative to update the software on your Mac, your iOS devices, Apple TV and on your Apple Watch. Below is a list of issues addressed in Apple’s latest security updates, along with directions on where to obtain the updates.

macOS 10.12.1

Listed as an update that improves stability, compatibility and security it addresses the following:

  • Adds an automatic smart album in Photos for Depth Effect images taken on iPhone 7 Plus.
  • Improves the compatibility of Microsoft Office when using iCloud Desktop and Documents.
  • Fixes an issue that may prevent Mail from updating when using a Microsoft Exchange account.
  • Fixes an issue that caused text to sometimes paste incorrectly when using Universal Clipboard.
  • Improves reliability of Auto Unlock with Apple Watch.
  • Improves security and stability in Safari.
  • Fixes an issue that may cause Mail to display unnecessary password prompts for AOL accounts.
  • Improves compatibility with Fujitsu’s ScanSnap scanning software.
  • Addresses a “Filter Failed” error when printing to some Canon printers.
  • Fixes an issue that may prevent Grapher files from opening.
  • Brings back the Safari option to “never use font sizes smaller than” for displaying fonts on webpages.

There are also 16 security fixes included. Most notable are patches to security where a local attacker may have been able to observe the length of a login password upon login, the CoreGraphics and ImageIO where viewing or parsing a maliciously crafted JPEG or PDF file may have lead to arbitrary code execution. FontParser also received a patch to prevent the disclosure of sensitive user information if a maliciously crafted font was parsed. FaceTime also received a patch to prevent an attacker in a privileged network position to cause a relayed call to continue transmitting audio while appearing as if the call terminated. The Safari 10.0.1 update is wrapped into this Sierra update as well. The full list of security fixes can be seen below or by visiting the Apple website.

Click here to see the full list of macOS Sierra 10.12.1 security fixes

macOS Sierra 10.12.1

Released October 24, 2016

AppleGraphicsControl

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved lock state checking.

CVE-2016-4662: Apple

AppleSMC

Available for: macOS Sierra 10.12

Impact: A local user may be able to elevate privileges

Description: A null pointer dereference was addressed through improved locking.

CVE-2016-4678: daybreaker@Minionz working with Trend Micro’s Zero Day Initiative

ATS

Available for: macOS Sierra 10.12

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4667: Simmon Huang of alipay, Thelongestusernameofall@gmail.com, Moony Li of Trend Micro, @Flyic

ATS

Available for: macOS Sierra 10.12

Impact: A local user may be able to execute arbitrary code with additional privileges

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4674: Shrek_wzw of Qihoo 360 Nirvan Team

CFNetwork Proxies

Available for: macOS Sierra 10.12

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts.

CVE-2016-7579: Jerry Decime

CoreGraphics

Available for: macOS Sierra 10.12

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent

FaceTime

Available for: macOS Sierra 10.12

Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated

Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.

CVE-2016-4635: Martin Vigo (@martin_vigo) of salesforce.com

FontParser

Available for: macOS Sierra 10.12

Impact: Parsing a maliciously crafted font may disclose sensitive user information

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab

ImageIO

Available for: OS X El Capitan v10.11.6

Impact: Parsing a maliciously crafted PDF may lead to arbitrary code execution

Description: An out-of-bounds write was addressed through improved bounds checking.

CVE-2016-4671: Ke Liu of Tencent’s Xuanwu Lab, Juwei Lin (@fuzzerDOTcn)

ImageIO

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing a maliciously crafted image may result in the disclosure of process memory

Description: An out-of-bounds read issue existed in the SGI image parsing. This issue was addressed through improved bounds checking.

CVE-2016-4682: Ke Liu of Tencent’s Xuanwu Lab

libarchive

Available for: macOS Sierra 10.12

Impact: A malicious archive may be able to overwrite arbitrary files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.

CVE-2016-4679: Omer Medan of enSilo Ltd

libxpc

Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12

Impact: An application may be able to execute arbitrary code with root privileges

Description: A logic issue was addressed through additional restrictions.

CVE-2016-4675: Ian Beer of Google Project Zero

ntfs

Available for: macOS Sierra 10.12

Impact: An application may be able to cause a denial of service

Description: An issue existed in the parsing of disk images. This issue was addressed through improved validation.

CVE-2016-4661: Recurity Labs on behalf of BSI (German Federal Office for Information Security)

NVIDIA Graphics Drivers

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: An application may be able to cause a denial of service

Description: A memory corruption issue was addressed through improved input validation.

CVE-2016-4663: Apple

Security

Available for: macOS Sierra 10.12

Impact: A local attacker can observe the length of a login password when a user logs in

Description: A logging issue existed in the handling of passwords. This issue was addressed by removing password length logging.

CVE-2016-4670: an anonymous researcher

System Boot

Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12

Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel

Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.

CVE-2016-4669: Ian Beer of Google Project Zero

The update can be downloaded by going to the App Store > Updates tab.

Note that Security Update 2016-002 10.11.6 was also released today for El Capitan users and Security Update 2016-006 10.10.5 for Yosemite users. The list of vulnerabilities these updates addressed have been listed on the Sierra 10.12.1 security content page.

These Security Updates can be downloaded through the download links above or the App Store via the Updates tab.

iOS 10.1

Listed as an update that includes Portrait Camera for iPhone 7 Plus (beta), transit directions for Japan, stability improvements and bug fixes. The list of improvements is lengthy and can be read here. As for security related fixes, there were a total of 13. Most of the same issues that were found in macOS were addressed in iOS as well, including the Security, CoreGraphics, ImageIO and FontParser vulnerabilities. For iOS specifically, two Sandbox Profiles vulnerabilities were addressed to prevent an application from being able to retrieve metadata of photo directories and audio recording directories. The full list of security fixes can be seen below or by visiting the Apple website.

Click here to see the full list of iOS 10.1 security fixes

iOS 10.1

Released October 24, 2016

CFNetwork Proxies

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts.

CVE-2016-7579: Jerry Decime

Contacts

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An application may be able to maintain access to the Address Book after access is revoked in Settings

Description: An access control issue in the Address Book was addressed through improved file-link validation.

CVE-2016-4686: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

CoreGraphics

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent

FaceTime

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated

Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.

CVE-2016-4635: Martin Vigo (@martin_vigo) of salesforce.com

FontParser

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: Parsing a maliciously crafted font may disclose sensitive user information

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab

Kernel

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An application may be able to disclose kernel memory

Description: A validation issue was addressed through improved input sanitization.

CVE-2016-4680: Max Bazaliy of Lookout and in7egral

libarchive

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A malicious archive may be able to overwrite arbitrary files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.

CVE-2016-4679: Omer Medan of enSilo Ltd

libxpc

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An application may be able to execute arbitrary code with root privileges

Description: A logic issue was addressed through additional restrictions.

CVE-2016-4675: Ian Beer of Google Project Zero

Sandbox Profiles

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An application may be able to retrieve metadata of photo directories

Description: An access issue was addressed through additional sandbox restrictions on third party applications.

CVE-2016-4664: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

Sandbox Profiles

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: An application may be able to retrieve metadata of audio recording directories

Description: An access issue was addressed through additional sandbox restrictions on third party applications.

CVE-2016-4665: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

Security

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A local attacker can observe the length of a login password when a user logs in

Description: A logging issue existed in the handling of passwords. This issue was addressed by removing password length logging.

CVE-2016-4670: an anonymous researcher

System Boot

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel

Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.

CVE-2016-4669: Ian Beer of Google Project Zero

WebKit

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4677: Anonymous working with Trend Micro Zero Day Initiative

The update can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 10.0.1

A combined 10 security issues were addressed in tvOS 10.0.1, mostly the same as those addressed in iOS. The full list of security fixes can be seen below or by visiting the Apple website.

trigger textClick here to see the full list of tvOS 10.0.1 security fixes

tvOS 10.0.1

Released October 24, 2016

CFNetwork Proxies

Available for: Apple TV (4th generation)

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts.

CVE-2016-7579: Jerry Decime

CoreGraphics

Available for: Apple TV (4th generation)

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent

FontParser

Available for: Apple TV (4th generation)

Impact: Parsing a maliciously crafted font may disclose sensitive user information

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab

Kernel

Available for: Apple TV (4th generation)

Impact: An application may be able to disclose kernel memory

Description: A validation issue was addressed through improved input sanitization.

CVE-2016-4680: Max Bazaliy of Lookout and in7egral

libarchive

Available for: Apple TV (4th generation)

Impact: A malicious archive may be able to overwrite arbitrary files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.

CVE-2016-4679: Omer Medan of enSilo Ltd

libxpc

Available for: Apple TV (4th generation)

Impact: An application may be able to execute arbitrary code with root privileges

Description: A logic issue was addressed through additional restrictions.

CVE-2016-4675: Ian Beer of Google Project Zero

Sandbox Profiles

Available for: Apple TV (4th generation)

Impact: An application may be able to retrieve metadata of photo directories

Description: An access issue was addressed through additional sandbox restrictions on third party applications.

CVE-2016-4664: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

Sandbox Profiles

Available for: Apple TV (4th generation)

Impact: An application may be able to retrieve metadata of audio recording directories

Description: An access issue was addressed through additional sandbox restrictions on third party applications.

CVE-2016-4665: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

System Boot

Available for: Apple TV (4th generation)

Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel

Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.

CVE-2016-4669: Ian Beer of Google Project Zero

WebKit

Available for: Apple TV (4th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4677: Anonymous working with Trend Micro’s Zero Day Initiative

The update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 3.1

Listed as an update that includes improvements and bug fixes.

  • New option to replay bubble and full screen effects in Messages
  • Messages effects can play with Reduce Motion enabled
  • Fixes an issue that could cause the notification for Timer complete to be delivered twice
  • Resolves an issue that could prevent Apple Watch Series 2 from fully charging
  • Resolves an issue where Activity rings may disappear from the watch face
  • Fixes an issue that prevented Force Touch options from appearing in some third-party apps

The update also includes 8 security fixes, which are the same as those addressed in iOS 10.1. The full list of security fixes can be seen below or by visiting the Apple website.

Click here to see the full list of watchOS 3.1 security fixes

watchOS 3.1

Released October 24, 2016

CoreGraphics

Available for: All Apple Watch models

Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent

FontParser

Available for: All Apple Watch models

Impact: Parsing a maliciously crafted font may disclose sensitive user information

Description: An out-of-bounds read was addressed through improved bounds checking.

CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab

Kernel

Available for: All Apple Watch models

Impact: An application may be able to disclose kernel memory

Description: A validation issue was addressed through improved input sanitization.

CVE-2016-4680: Max Bazaliy of Lookout and in7egral

libarchive

Available for: All Apple Watch models

Impact: A malicious archive may be able to overwrite arbitrary files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.

CVE-2016-4679: Omer Medan of enSilo Ltd

libxpc

Available for: All Apple Watch models

Impact: An application may be able to execute arbitrary code with root privileges

Description: A logic issue was addressed through additional restrictions.

CVE-2016-4675: Ian Beer of Google Project Zero

Sandbox Profiles

Available for: All Apple Watch models

Impact: An application may be able to retrieve metadata of photo directories

Description: An access issue was addressed through additional sandbox restrictions on third party applications.

CVE-2016-4664: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

Sandbox Profiles

Available for: All Apple Watch models

Impact: An application may be able to retrieve metadata of audio recording directories

Description: An access issue was addressed through additional sandbox restrictions on third party applications.

CVE-2016-4665: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)

System Boot

Available for: All Apple Watch models

Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel

Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.

CVE-2016-4669: Ian Beer of Google Project Zero

The update can be installed by connecting the watch to its charger then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

Safari 10.0.1

Available for OS X Yosemite 10.10.5, OS X El Capitan 10.11.6 and macOS Sierra 10.12 and fixes 3 WebKit vulnerabilities. Those 3 vulnerabilities were enough for Apple to push out this update as they address arbitrary code execution and the disclosure of sensitive user information if a maliciously crafted website is visited. The full details of the security fixes can be seen below or by visiting the Apple website.

Click here to see the full list of Safari 10.0.1 security fixes

Safari 10.0.1

Released October 24, 2016

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4666: Apple

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to the disclosure of sensitive user information

Description: A cross-origin issue existed with location attributes. This was addressed through improved tracking of location attributes across origins.

CVE-2016-4676: Apple

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4677: Anonymous working with Trend Micro’s Zero Day Initiative

The update can be downloaded by going to the App Store > Updates tab. It will be visible for Yosemite and El Capitan users as an available update, but if current Sierra users want it they will have to install the before mentioned 10.12.1 update which has the Safari security fixes built in.

Before installing any updates, we recommend that you backup your data and just in case something falls afoul during the update process.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →