Apple has released Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite, as well as updates to its web browser with Safari 9.1.3. Apple’s software updates fix two of the three “Trident” vulnerabilities previously patched with iOS 9.3.5.
These security updates are available for OS X Yosemite 10.10.5 and OS X El Capitan 10.11.6. Unfortunately, it appears that Mavericks users may be left vulnerable to at least two of the three Trident flaws. (The standalone Safari 9.1.3 update includes Mavericks, which patches one out of three vulnerabilities.)
OS X and iOS share a codebase so it makes sense they patched OS X as well. What’s a bit surprising is that a company as skilled as the one that made Pegasus to exploit the iOS vulnerabilities would not realize that the Mac shares those same flaws and not try to exploit them. No exploits for the Trident vulnerabilities have been discovered on the Mac, though that doesn’t mean an exploit isn’t out there—just that one hasn’t been found yet.
- CVE-2016-4654 : Visiting a maliciously crafted website may lead to arbitrary code execution. A memory corruption issue was addressed through improved memory handling.
- CVE-2016-4655 : An application may be able to disclose kernel memory. A validation issue was addressed through improved input sanitization.
- CVE-2016-4656 : An application may be able to execute arbitrary code with kernel privileges. A memory corruption issue was addressed through improved memory handling.
Security Update 2016-001 (for El Capitan) and Security Update 2016-005 (for Yosemite) are recommended for all users and improves the security of OS X.
OS X El Capitan and Yosemite users can download the latest security updates by the method you prefer most: Either visit the Mac App Store to install the latest security updates, or get the new software from Apple’s official website. Mavericks users can get the Safari 9.1.3 update from the Mac App Store as well.