The Mac Security Blog

Security News

Apple Releases macOS Sierra 10.12.6 and More with Security Fixes

Posted on by

Apple Software Security Updates

Apple today released software updates for all of its operating systems and Safari. As we all know, there is much more to these updates than what’s shown in the update description, so here are some of the details.

macOS Sierra 10.12.6

Available for: Any Mac running macOS Sierra 10.12.5

Listed as an update that improves the stability, compatibility, and security of your Mac, it mentions no new features, making this strictly a security release. This update addresses several security issues, 35 to be exact. These include:

  • 10 Kernel fixes preventing applications from reading restricted memory, gaining kernel privileges and arbitrary code execution.
  • 3 issues were fixed that could lead to a maliciously crafted audio file executing arbitrary code and disclosing restricted memory.
  • 3 memory corruption issues in Bluetooth were addressed that could lead to an application arbitrary code execution.

The biggest patch in this update addresses the recently disclosed Broadpwn bug. This bug allowed an attacker to execute code on a device with a vulnerable Broadcom Wi-Fi chip without needing to infect a device with malware, social engineering or even a malicious Wi-Fi network. The only requirement was to be in range of such a device and of course have the skills to pull it off. And if so, an attacker could potentially do some major damage. This vulnerability only appears to be addressed in 10.12.6, and even though 10.11.6 El Capitan and 10.10.5 Yosemite also received security updates today, a patch for the Broadpwn bug was not one of them.

Security Update 2017-003 El Capitan

Available for: Any Mac running OS X El Capitan v10.11.6

Listed as recommended for all users and improves the security of OS X, the update addresses issues that could allow applications to gain system or kernel privileges, read restricted memory or arbitrary code execution. In total, El Capitan received 13 security fixes.

Security Update 2017-003 Yosemite

Available for: OS X Yosemite v10.10.5

Listed as recommended for all users and improves the security of OS X, the update addresses all but 2 of the same issues covered in the El Capitan update. In total, Yosemite received 11 security fixes.

For the full list of security issues that were addressed, have a look here. The updates can be downloaded through the App Store > Updates tab on all three OS versions. macOS Sierra users can also download a stand-alone update here. OS X El Capitan users can get their security update here, and OS X Yosemite users can download it here.

This covered the updates available for just macOS and OS X, but there’s more.

iOS 10.3.3

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation

Listed as an update that includes bug fixes and improves the security of your iOS device. A total of 47 security issues were addressed in this update, including:

  • 9 Kernel issues were addressed that could allow an application to execute arbitrary code with system or kernel privileges or to read restricted memory.
  • 23 WebKit issues that could lead to arbitrary code execution, address bar spoofing, cross site scripting and disclosure of restricted memory.
  • The same Broadcom vulnerability thatw as addressed in macOS 10.12.6 was also addressed in iOS 10.3.3

The full list of security issues that were addressed can be found here. iOS 10.3.3 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

tvOS 10.2.2

Available for: Apple TV (4th generation)

tvOS saw 38 security issues addressed, including 20 WebKit fixes, 9 Kernel fixes, and the previously mentioned Broadpwn bug was addressed as well.

The full list of security issues that were addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 3.2.3

Available for: All Apple Watch models

A total of 16 security issues were addressed in this update, including the same 9 Kernel issues and the Broadpwn bug.

The full list of security issues that were addressed can be found here. watchOS 3.2.3 can be installed by connecting the watch to its charger, then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.

That’s it for the OS updates.

Safari 10.1.2

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.6

Listed as an update that is recommended for all users and containing security improvements, 25 security issues were addressed, 24 of which involved WebKit.

The full list of security issues that were addressed can be found here. The update can be downloaded by going to the App Store > Updates tab on El Capitan and Yosemite systems. For Sierra users the update is built-in to the 10.12.6 update.

It is recommended to install these updates as soon as possible. As always, make sure your Mac and iOS device are properly backed up before installing updates. If you need any help creating or fine-tuning your backup strategy, have a look at this article.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →