Sep 25, 2016

About the security content of macOS Sierra 10.12

About the security content of macOS Sierra 10.12

This document describes the security content of macOS Sierra 10.12.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.

macOS Sierra 10.12

Released September 20, 2016
apache
Available for: OS X El Capitan v10.11.6
Impact: A remote attacker may be able to proxy traffic through an arbitrary server
Description: An issue existed in the handling of the HTTP_PROXY environment variable. This issue was addressed by not setting the HTTP_PROXY environment variable from CGI.
CVE-2016-4694: Dominic Scheirlinck and Scott Geary of Vend
apache_mod_php
Available for: OS X El Capitan v10.11.6
Impact: Multiple issues in PHP, the most significant of which may lead to unexpected application termination or arbitrary code execution.
Description: Multiple issues in PHP were addressed by updating PHP to version 5.6.24.
CVE-2016-5768
CVE-2016-5769
CVE-2016-5770
CVE-2016-5771
CVE-2016-5772
CVE-2016-5773
CVE-2016-6174
CVE-2016-6288
CVE-2016-6289
CVE-2016-6290
CVE-2016-6291
CVE-2016-6292
CVE-2016-6294
CVE-2016-6295
CVE-2016-6296
CVE-2016-6297
Apple HSSPI Support
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4697: Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative
AppleEFIRuntime
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved input validation.
CVE-2016-4696: Shrek_wzw of Qihoo 360 Nirvan Team
AppleMobileFileIntegrity
Available for: OS X El Capitan v10.11.6
Impact: A local application may be able to execute arbitrary code with system privileges
Description: A validation issue existed in the task port inheritance policy. This issue was addressed through improved validation of the process entitlement and Team ID.
CVE-2016-4698: Pedro Vilaça
AppleUUC
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved input validation.
CVE-2016-4699: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro's Zero Day Initiative
CVE-2016-4700: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro’s Zero Day Initiative
Application Firewall
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to cause a denial of service
Description: A validation issue existed in the handling of firewall prompts. This issue was addressed through improved validation of SO_EXECPATH.
CVE-2016-4701: Meder Kydyraliev Google Security Team
ATS
Available for: OS X El Capitan v10.11.6
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4779: riusksk of Tencent Security Platform Department
Audio
Available for: OS X El Capitan v10.11.6
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4702: YoungJin Yoon, MinSik Shin, HoJae Han, Sunghyun Park, and Taekyoung Kwon of Information Security Lab, Yonsei University.
Bluetooth
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved input validation.
CVE-2016-4703: Juwei Lin (@fuzzerDOTcn) of Trend Micro
cd9660
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to cause a system denial of service
Description: An input validation issue was addressed through improved memory handling.
CVE-2016-4706: Recurity Labs on behalf of BSI (German Federal Office for Information Security)
CFNetwork
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to discover websites a user has visited
Description: An issue existed in Local Storage deletion. This issue was addressed through improved Local Storage cleanup.
CVE-2016-4707: an anonymous researcher
CFNetwork
Available for: OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may compromise user information
Description: An input validation issue existed in the parsing of the set-cookie header. This issue was addressed through improved validation checking.
CVE-2016-4708: Dawid Czagan of Silesia Security Lab
CommonCrypto
Available for: OS X El Capitan v10.11.6
Impact: An application using CCrypt may disclose sensitive plaintext if the output and input buffer are the same
Description: An input validation issue existed in corecrypto. This issue was addressed through improved input validation.
CVE-2016-4711: Max Lohrmann
CoreCrypto
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code
Description: An out-of-bounds write issue was addressed by removing the vulnerable code.
CVE-2016-4712: Gergo Koteles
CoreDisplay
Available for: OS X El Capitan v10.11.6
Impact: A user with screen sharing access may be able to view another user's screen
Description: A session management issue existed in the handling of screen sharing sessions. This issue was addressed through improved session tracking.
CVE-2016-4713: Ruggero Alberti
curl
Available for: OS X El Capitan v10.11.6
Impact: Multiple issues in curl
Description: Multiple security issues existed in curl prior to version 7.49.1. These issues were addressed by updating curl to version 7.49.1.
CVE-2016-0755: Isaac Boukris
Date & Time Pref Pane
Available for: OS X El Capitan v10.11.6
Impact: A malicious application may be able to determine a user's current location
Description: An issue existed in the handling of the .GlobalPreferences file. This was addressed though improved validation.
CVE-2016-4715: Taiki (@Taiki__San) at ESIEA (Paris)
DiskArbitration
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to execute arbitrary code with system privileges
Description: An access issue existed in diskutil. This issue was addressed through improved permissions checking.
CVE-2016-4716: Alexander Allen of The North Carolina School of Science and Mathematics
File Bookmark
Available for: OS X El Capitan v10.11.6
Impact: A local application may be able to cause a denial of service
Description: A resource management issue existed in the handling of scoped bookmarks. This issue was addressed through improved file descriptor handling.
CVE-2016-4717: Tom Bradley of 71Squared Ltd
FontParser
Available for: OS X El Capitan v10.11.6
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking.
CVE-2016-4718: Apple
IDS - Connectivity
Available for: OS X El Capitan v10.11.6
Impact: An attacker in a privileged network position may be able to cause a denial of service
Description: A spoofing issue existed in the handling of Call Relay. This issue was addressed through improved input validation.
CVE-2016-4722: Martin Vigo (@martin_vigo) of salesforce.com
Intel Graphics Driver
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4723: daybreaker of Minionz
IOAcceleratorFamily
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved input validation.
CVE-2016-4724: Cererdlong, Eakerqiu of Team OverSky
IOAcceleratorFamily
Available for: OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: A memory corruption issue was addressed through improved input validation.
CVE-2016-4725: Rodger Combs of Plex, Inc
IOAcceleratorFamily
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4726: an anonymous researcher
IOThunderboltFamily
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4727: wmin working with Trend Micros Zero Day Initiative
Kerberos v5 PAM module
Available for: OS X El Capitan v10.11.6
Impact: A remote attacker may determine the existence of user accounts
Description: A timing side channel allowed an attacker to determine the existence of user accounts on a system. This issue was addressed by introducing constant time checks.
CVE-2016-4745: an anonymous researcher
Kernel
Available for: OS X El Capitan v10.11.6
Impact: A local application may be able to access restricted files
Description: A parsing issue in the handling of directory paths was addressed through improved path validation.
CVE-2016-4771: Balazs Bucsay, Research Director of MRG Effitas
Kernel
Available for: OS X El Capitan v10.11.6
Impact: A remote attacker may be able to cause a denial of service
Description: A lock handling issue was addressed through improved lock handling.
CVE-2016-4772: Marc Heuse of mh-sec
Kernel
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to determine kernel memory layout
Description: Multiple out-of-bounds read issues existed that led to the disclosure of kernel memory. These were addressed through improved input validation.
CVE-2016-4773: Brandon Azad
CVE-2016-4774: Brandon Azad
CVE-2016-4776: Brandon Azad
Kernel
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4775: Brandon Azad
Kernel
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An untrusted pointer dereference was addressed by removing the affected code.
CVE-2016-4777: Lufeng Li of Qihoo 360 Vulcan Team
Kernel
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4778: CESG
libarchive
Available for: OS X El Capitan v10.11.6
Impact: Multiple issues in libarchive
Description: Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation.
CVE-2016-4736: Proteas of Qihoo 360 Nirvan Team
libxml2
Available for: OS X El Capitan v10.11.6
Impact: Multiple issues in libxml2, the most significant of which may lead to unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4658: Nick Wellnhofer
CVE-2016-5131: Nick Wellnhofer
libxslt
Available for: OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4738: Nick Wellnhofer
mDNSResponder
Available for: OS X El Capitan v10.11.6
Impact: A remote attacker may be able to view sensitive information
Description: Applications using VMnet.framework enabled a DNS proxy listening on all network interfaces. This issue was addressed by restricting DNS query responses to local interfaces.
CVE-2016-4739: Magnus Skjegstad, David Scott and Anil Madhavapeddy from Docker, Inc.
NSSecureTextField
Available for: OS X El Capitan v10.11.6
Impact: A malicious application may be able to leak a user's credentials
Description: A state management issue existed in NSSecureTextField, which failed to enable Secure Input. This issue was addressed through improved window management.
CVE-2016-4742: Rick Fillion of AgileBits, Daniel Jalkut of Red Sweater Software
Perl
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to bypass the taint protection mechanism
Description: An issue existed in the parsing of environment variables. This issue was addressed through improved validation of environment variables.
CVE-2016-4748: Stephane Chazelas
S2 Camera
Available for: OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4750: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro’s Zero Day Initiative
Security
Available for: OS X El Capitan v10.11.6
Impact: An application using SecKeyDeriveFromPassword may leak memory
Description: A resource management issue existed in the handling of key derivation. This issue was addressed by adding CF_RETURNS_RETAINED to SecKeyDeriveFromPassword.
CVE-2016-4752: Mark Rogers of PowerMapper Software
Security
Available for: OS X El Capitan v10.11.6
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A validation issue existed in signed disk images. This issue was addressed through improved size validation.
CVE-2016-4753: Mark Mentovai of Google Inc.
Terminal
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to leak sensitive user information
Description: A permissions issue existed in .bash_history and .bash_session. This issue was addressed through improved access restrictions.
CVE-2016-4755: Axel Luttgens
WindowServer
Available for: OS X El Capitan v10.11.6
Impact: A local user may be able to gain root privileges
Description: A type confusion issue was addressed through improved memory handling.
CVE-2016-4709: an anonymous researcher
CVE-2016-4710: an anonymous researcher
macOS Sierra 10.12 includes the security content of Safari 10.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.
Last Modified:

Feb 17, 2016

A Message to Our Customers

February 16, 2016A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. 
This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.
All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.
Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.
For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.
When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.
We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.
In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.
The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.
We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.
The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.
We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.
While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.
Tim Cook

Jan 19, 2016

About the security content of iOS 9.2.1

About the security content of iOS 9.2.1

This document describes the security content of iOS 9.2.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other security updates, see Apple security updates.

iOS 9.2.1

  • Disk Images
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1717 : Frank Graziano of Yahoo! Pentest Team
  • IOHIDFamily
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue existed in an IOHIDFamily API. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1719 : Ian Beer of Google Project Zero
  • IOKit
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1720 : Ian Beer of Google Project Zero
  • Kernel
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1721 : Ian Beer of Google Project Zero and Ju Zhu of Trend Micro
  • libxslt
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: A type confusion issue existed in libxslt. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7995 : puzzor
  • syslog
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: A local user may be able to execute arbitrary code with root privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1722 : Joshua J. Drake and Nikias Bassen of Zimperium zLabs
  • WebKit
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
    CVE-ID
    CVE-2016-1723 : Apple
    CVE-2016-1724 : Apple
    CVE-2016-1725 : Apple
    CVE-2016-1726 : Apple
    CVE-2016-1727 : Apple
  • WebKit CSS
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: Websites may know if the user has visited a given link
    Description: A privacy issue existed in the handling of the "a:visited button" CSS selector when evaluating the containing element's height. This was addressed through improved validation.
    CVE-ID
    CVE-2016-1728 : an anonymous researcher coordinated via Joe Vennix
  • WebSheet
    Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
    Impact: A malicious captive portal may be able to access the user's cookies
    Description: An issue existed that allowed some captive portals to read or write cookies. The issue was addressed through an isolated cookie store for all captive portals.
    CVE-ID
    CVE-2016-1730 : Adi Sharabani and Yair Amit of Skycure
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.
Last Modified:

About the security content of OS X El Capitan 10.11.3 and Security Update 2016-001

About the security content of OS X El Capitan 10.11.3 and Security Update 2016-001

This document describes the security content of OS X El Capitan 10.11.3 and Security Update 2016-001.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other security updates, see Apple security updates.

OS X El Capitan 10.11.3 and Security Update 2016-001

  • AppleGraphicsPowerManagement
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1716 : moony li of Trend Micro and Liang Chen and Sen Nie of KeenLab, Tencent
  • Disk Images
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1717 : Frank Graziano of Yahoo! Pentest Team
  • IOAcceleratorFamily
    Available for: OS X El Capitan v10.11.0 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1718 : Juwei Lin Trend Micro working with HP's Zero Day Initiative
  • IOHIDFamily
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue existed in an IOHIDFamily API. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1719 : Ian Beer of Google Project Zero
  • IOKit
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1720 : Ian Beer of Google Project Zero
  • Kernel
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1721 : Ian Beer of Google Project Zero and Ju Zhu of Trend Micro
  • libxslt
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.2
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: A type confusion issue existed in libxslt. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7995 : puzzor
  • OSA Scripts
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A quarantined application may be able to override OSA script libraries installed by the user
    Description: An issue existed when searching for scripting libraries. This issue was addressed through improved search order and quarantine checks.
    CVE-ID
    CVE-2016-1729 : an anonymous researcher
  • syslog
    Available for: OS X El Capitan v10.11 to v10.11.2
    Impact: A local user may be able to execute arbitrary code with root privileges
    Description: A memory corruption issue was addressed through improved memory handling.
    CVE-ID
    CVE-2016-1722 : Joshua J. Drake and Nikias Bassen of Zimperium zLabs
OS X El Capitan 10.11.3 includes the security content of Safari 9.0.3.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.
Last Modified:

Dec 8, 2015

About the security content of OS X El Capitan 10.11.2 and Security Update 2015-008

About the security content of OS X El Capitan 10.11.2 and Security Update 2015-008

This document describes the security content of OS X El Capitan 10.11.2 and Security Update 2015-008.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other security updates, see Apple security updates.

OS X El Capitan 10.11.2 and Security Update 2015-008

  • apache_mod_php
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: Multiple vulnerabilities in PHP
    Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29, the most serious of which may have led to remote code execution. These were addressed by updating PHP to version 5.5.30.
    CVE-ID
    CVE-2015-7803
    CVE-2015-7804
  • AppSandbox
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application may maintain access to Contacts after having access revoked
    Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox.
    CVE-ID
    CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt
  • Bluetooth
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with system privileges
    Description: A memory corruption issue existed in the Bluetooth HCI interface. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7108 : Ian Beer of Google Project Zero
  • CFNetwork HTTPProtocol
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: An attacker with a privileged network position may be able to bypass HSTS
    Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation.
    CVE-ID
    CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and Muneaki Nishimura (nishimunea)
  • Compression
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.
    CVE-ID
    CVE-2015-7054 : j00ru
  • Configuration Profiles
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local attacker may be able to install a configuration profile without admin privileges
    Description: An issue existed when installing configuration profiles. This issue was addressed through improved authorization checks.
    CVE-ID
    CVE-2015-7062 : David Mulder of Dell Software
  • CoreGraphics
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
    Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
    CVE-ID
    CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team
  • CoreMedia Playback
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling.
    CVE-ID
    CVE-2015-7074 : Apple
    CVE-2015-7075
  • Disk Images
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7110 : Ian Beer of Google Project Zero
  • EFI
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with system privileges
    Description: A path validation issue existed in the kernel loader. This was addressed through improved environment sanitization.
    CVE-ID
    CVE-2015-7063 : Apple
  • File Bookmark
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A sandboxed process may be able to circumvent sandbox restrictions
    Description: A path validation issue existed in app scoped bookmarks. This was addressed through improved environment sanitization.
    CVE-ID
    CVE-2015-7071 : Apple
  • Hypervisor
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with system privileges
    Description: A use after free issue existed in the handling of VM objects. This issue was addressed through improved memory management.
    CVE-ID
    CVE-2015-7078 : Ian Beer of Google Project Zero
  • iBooks
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information
    Description: An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing.
    CVE-ID
    CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach (@ITSecurityguard)
  • ImageIO
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Processing a maliciously crafted image may lead to arbitrary code execution
    Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7053 : Apple
  • Intel Graphics Driver
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with system privileges
    Description: A null pointer dereference issue was addressed through improved input validation.
    CVE-ID
    CVE-2015-7076 : Juwei Lin of TrendMicro, beist and ABH of BoB, and JeongHoon Shin@A.D.D
  • Intel Graphics Driver
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with system privileges
    Description: A memory corruption issue existed in the Intel Graphics Driver. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7106 : Ian Beer of Google Project Zero, Juwei Lin of TrendMicro, beist and ABH of BoB, and JeongHoon Shin@A.D.D
  • Intel Graphics Driver
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with system privileges
    Description: An out of bounds memory access issue existed in the Intel Graphics Driver. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7077 : Ian Beer of Google Project Zero
  • IOAcceleratorFamily
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application may be able to execute arbitrary code with system privileges
    Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7109 : Juwei Lin of TrendMicro
  • IOHIDFamily
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application may be able to execute arbitrary code with system privileges
    Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling.
    CVE-ID
    CVE-2015-7111 : beist and ABH of BoB
    CVE-2015-7112 : Ian Beer of Google Project Zero
  • IOKit SCSI
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application may be able to execute arbitrary code with kernel privileges
    Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.
    CVE-ID
    CVE-2015-7068 : Ian Beer of Google Project Zero
  • IOThunderboltFamily
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to cause a system denial of service
    Description: A null pointer dereference existed in IOThunderboltFamily's handling of certain userclient types. This issue was addressed through improved validation of IOThunderboltFamily contexts.
    CVE-ID
    CVE-2015-7067 : Juwei Lin of TrendMicro
  • Kernel
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local application may be able to cause a denial of service
    Description: Multiple denial of service issues were addressed through improved memory handling.
    CVE-ID
    CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
    CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
    CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
    CVE-2015-7043 : Tarjei Mandt (@kernelpool)
  • Kernel
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.
    CVE-ID
    CVE-2015-7083 : Ian Beer of Google Project Zero
    CVE-2015-7084 : Ian Beer of Google Project Zero
  • Kernel
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.
    CVE-ID
    CVE-2015-7047 : Ian Beer of Google Project Zero
  • kext tools
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A local user may be able to execute arbitrary code with kernel privileges
    Description: A validation issue existed during the loading of kernel extensions. This issue was addressed through additional verification.
    CVE-ID
    CVE-2015-7052 : Apple
  • Keychain Access
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application may be able to masquerade as the Keychain Server.
    Description: An issue existed in how Keychain Access interacted with Keychain Agent. This issue was resolved by removing legacy functionality.
    CVE-ID
    CVE-2015-7045 : Luyi Xing and XiaoFeng Wang of Indiana University Bloomington, Xiaolong Bai of Indiana University Bloomington and Tsinghua University, Tongxin Li of Peking University, Kai Chen of Indiana University Bloomington and Institute of Information Engineering, Xiaojing Liao of Georgia Institute of Technology, Shi-Min Hu of Tsinghua University, and Xinhui Han of Peking University
  • libarchive
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2011-2895 : @practicalswift
  • libc
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: Processing a maliciously crafted package may lead to arbitrary code execution
    Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
    CVE-ID
    CVE-2015-7038
    CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)
  • libexpat
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: Multiple vulnerabilities in expat
    Description: Multiple vulnerabilities existed in expat version prior to 2.1.0. These were addressed by updating expat to versions 2.1.0.
    CVE-ID
    CVE-2012-0876 : Vincent Danen
    CVE-2012-1147 : Kurt Seifried
    CVE-2012-1148 : Kurt Seifried
  • libxml2
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
    Description: A memory corruption issue existed in the parsing of XML files. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-3807 : Wei Lei and Liu Yang of Nanyang Technological University
  • OpenGL
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
    Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.
    CVE-ID
    CVE-2015-7064 : Apple
    CVE-2015-7065 : Apple
    CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks
  • OpenLDAP
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A remote unauthenticated client may be able to cause a denial of service
    Description: An input validation issue existed in OpenLDAP. This issue was addressed through improved input validation.
    CVE-ID
    CVE-2015-6908
  • OpenSSH
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: Multiple vulnerabilities in LibreSSL
    Description: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8.
    CVE-ID
    CVE-2015-5333
    CVE-2015-5334
  • QuickLook
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: Opening a maliciously crafted iWork file may lead to arbitrary code execution
    Description: A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7107
  • Sandbox
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application with root privileges may be able to bypass kernel address space layout randomization
    Description: An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.
    CVE-ID
    CVE-2015-7046 : Apple
  • Security
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.
    CVE-ID
    CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.
  • Security
    Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
    Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution
    Description: Multiple memory corruption issues existed in the ASN.1 decoder. These issues were addressed through improved input validation
    CVE-ID
    CVE-2015-7059 : David Keeler of Mozilla
    CVE-2015-7060 : Tyson Smith of Mozilla
    CVE-2015-7061 : Ryan Sleevi of Google
  • Security
    Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application may gain access to a user's Keychain items
    Description: An issue existed in the validation of access control lists for keychain items. This issue was addressed through improved access control list checks.
    CVE-ID
    CVE-2015-7058
  • System Integrity Protection
    Available for: OS X El Capitan v10.11 and v10.11.1
    Impact: A malicious application with root privileges may be able to execute arbitrary code with system privileges
    Description: A privilege issue existed in handling union mounts. This issue was addressed by improved authorization checks.
    CVE-ID
    CVE-2015-7044 : MacDefender

Notes

  • Security Update 2015-008 is recommended for all users and improves the security of OS X. After installing this update, the QuickTime 7 web browser plug-in will no longer be enabled by default. Learn what to do if you still need this legacy plug-in.
  • OS X El Capitan v10.11.2 includes the security content of Safari 9.0.2.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.
Last Modified: