Security News

Apple Releases macOS Sierra 10.12.4 and More with Security Fixes

Posted on March 29th, 2017 by

Apple Releases macOS Sierra 10.12.4

Apple this week released security software updates for all of its operating systems, Safari, Pages, Numbers and Keynote. As we all know, there is much more to these updates than what's shown in the update description, so here are some of the details.

macOS Sierra 10.12.4

Available for: Any Mac running macOS Sierra 10.12.3

Listed as an update that improves the stability, compatibility, and security of your Mac, it mentions the following as being new and improved:

  • Adds Night Shift for automatically shifting the colors in your display to the warmer end of the spectrum after dark.
  • Adds Siri support for cricket scores, schedules, and player rosters from the Indian Premier League and International Cricket Council.
  • Adds Dictation support for Shanghainese.
  • Improves right-to-left language support for the Touch Bar, toolbar, and visual tab picker in Safari.
  • Resolves several PDF rendering and annotation issues in Preview.
  • Improves the visibility of the subject line when using Conversation View in Mail.
  • Fixes an issue that may prevent content from appearing in Mail messages.
  • Adds support for more digital camera RAW formats.

Night shift is available to all Macs from 2012 (Mac Pro not included) and newer. For those on older Macs, or even those on newer Macs, f.lux still offers superior controls and results. Another new feature which was not mentioned by Apple is the additional re-install option.

The macOS Sierra 10.12.4 update also addresses a long list of security issues, 127 to be exact. This includes:

  • 22 fixes for memory corruption related issues that can lead to unexpected application termination, arbitrary code execution or both.
  • 41 tcpdump issues that could lead to an attacker in a privileged network position may be able to execute arbitrary code with user assistance.
  • 11 issues where processing a maliciously crafted image could lead to a denial of service, arbitrary code execution or unexpected application termination.

macOS Sierra 10.12.4 includes an EFI firmware patch for some machines to address potential firmware attacks. According to Apple, "A malicious Thunderbolt adapter may be able to recover the FileVault 2 encryption password." Attacking the firmware to bypass security is not unheard of as the recent WikiLeaks dumped documents show that the CIA has been using such an exploit, called "Sonic Screwdriver," and the Thunderstrike bug a few years ago that also found a way to modify firmware.

The firmware will automatically be patched when the macOS Sierra 10.12.4 update is installed. If you feel your hardware is at risk for having their firmware exploited through malicious Thunderbolt adapters, you may want to know that not all Macs had their firmware patched.

Following are some of the Macs we know of that did not get their firmware updated:

- iMac (27-inch, Mid 2011)
- iMac (27-inch, Late 2012)
- iMac (21.5-inch, Early 2013)
- MacBook Pro (13/15/17-inch, Early 2011)
- MacBook Pro (Retina, 15-inch, Late 2013)
- MacBook Pro (Retina, 15-inch, Mid 2014)
- Mac mini (Mid 2011) (with AMD Radeon Graphics)
- Mac mini (Server, Mid 2011)
- Mac mini (Server, Late 2012)
- Mac mini (Late 2014)

(Hat tip to Pepijn Bruienne for that list.)

The above Macs are potentially still vulnerable to the EFI firmware vulnerability.

macOS Sierra 10.12.4 can be downloaded by going to the App Store > Updates tab, as a stand-alone update here or a combo update here.

Security Update 2017-001 (El Capitan)

Available for: Any Mac running OS X El Capitan v10.11.6

Listed as recommended for all users and improves the security of OS X, Security Update 2017-001 addresses a memory corruption issue that could lead to arbitrary code execution when a maliciously crafted JPEG file was viewed. A LibreSSL issue was also fixed, which could have enabled a local user to leak sensitive user information.

Security Update 2017-001 (El Capitan) can be downloaded by going to the App Store > Updates tab, or as a stand-alone update here.

Security Update 2017-001 (Yosemite)

Available for: OS X Yosemite v10.10.5

Listed as recommended for all users and improves the security of OS X, the update addresses the same memory corruption issue that could lead to arbitrary code execution when a maliciously crafted JPEG file was viewed. For the full list of security issues that were addressed, have a look here.

Security Update 2017-001 (Yosemite) can be downloaded by going to the App Store > Updates tab, or as a stand-alone update here.

iOS 10.3

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Listed as an update that introduces new features, including the ability to locate AirPods using Find my iPhone and more ways to use Siri with payment, ride booking and automaker apps. A notable improvement is made to calendar, which now has the ability to delete an unwanted invite and report it as junk, which should cut down on iCloud calendar spam. A combined 84 security issues were addressed in this update, including:

  • 17 fixes for memory corruption related issues that can lead to unexpected application termination, arbitrary code execution or both.
  • 26 WebKit issues that could lead to arbitrary code execution, universal cross site scripting and high memory consumption.
  • 3 issues where processing a maliciously crafted image could lead to a denial of service, arbitrary code execution or unexpected application termination.

When installing the update, you may notice it takes a considerable amount of time to install. (Twenty to thirty minutes is not unheard of for this update.) This is in part because the update upgrades the filesystem to the new APFS.

The full list of security issues that were addressed can be found here. iOS 10.3 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 10.2

Available for: Apple TV (4th generation)

tvOS 10.2 is listed as an update that focuses on new features, bug fixes, and improvements in the OS and SDK. Some of the new features and improvements include smoother scrolling of large lists, DEP support and expanded MDM support. tvOS saw 60 security issues addressed, including:

  • 16 fixes for memory corruption related issues that can lead to unexpected application termination, arbitrary code execution or both.
  • 27 WebKit issues that could lead to arbitrary code execution, universal cross site scripting and high memory consumption.

The full list of security issues that were addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 3.2

Available for: All Apple Watch models

watchOS 3.2 introduces Theater Mode:

Theater Mode lets users quickly mute the sound on their Apple Watch and avoid waking the screen on wrist raise. Users still receive notifications (including haptics) while in Theater Mode, which they can view by tapping the screen or pressing the Digital Crown.

The under-the-hood security improvements are a bit more exciting. With 35 security issues addressed, including 12 fixes for memory corruption related issues that can lead to unexpected application termination, arbitrary code execution or both.

The full list of security issues that were addressed can be found here. watchOS 3.2 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

That's it for the OS updates. A few applications got their own security updates, too.

Safari 10.1

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.4

The update adds the capability to drag the downloads list into a standalone window, brings Paste and Search to the Safari Smart Search field’s contextual menu, and resolves an issue that caused background tabs to suddenly appear in the foreground. A total of 41 security issues were addressed, including 36 WebKit related fixes with 7 of those being fixes for memory corruption related issues that can lead to unexpected application termination, arbitrary code execution or both.

The full list of security issues that were addressed can be found here. The update can be downloaded by going to the App Store > Updates tab on El Capitan and Yosemite systems. For Sierra users, the update is built-in to the macOS Sierra 10.12.4 update.

Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS

Available for: macOS 10.12 or later, iOS 10.0 or later

Among new features is the ability to quickly open password-protected documents using Touch ID on the new MacBook Pro with Touch Bar, which is certainly convenient. Security-wise Apple made only one change to the iWork suite apps on both Mac and iOS: iWork used weak 40-bit RC4 encryption for password-protected PDF exports. This issue was addressed by changing iWork export to use AES-128. The weak encryption allowed the contents of password-protected PDFs exported from iWork to be exposed, so it is a fix worth mentioning.

The updates can be downloaded on both Mac and iOS by going to the App Store > Updates tab.

macOS Server 5.3

Available for: macOS 10.12.4 and later

Focused on Caching Server and Profile Manager, this was mostly a release that introduced new features and improved compatibility. Security-wise it only addressed 3 vulnerabilities, which can be viewed here.

The update can be downloaded by going to the App Store > Updates tab.

With a few hundred software vulnerabilities resolved across all Apple operating systems and several apps, it is a good idea to install these updates as soon as possible. As always, make sure your Mac, iOS device and Server settings are properly backed up before installing updates. If you need any help creating or fine-tuning your backup strategy, keep an eye out for some related articles in the next few days.

Have something to say about this story? Share your comments below! 

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}