About the security content of OS X El Capitan 10.11.2 and Security Update 2015-008

This document describes the security content of OS X El Capitan 10.11.2 and Security Update 2015-008.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

OS X El Capitan 10.11.2 and Security Update 2015-008

• apache_mod_php
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: Multiple vulnerabilities in PHP
  Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29, the most serious of which may have led to remote code execution. These were addressed by updating PHP to version 5.5.30.
  CVE-ID
  CVE-2015-7803
  CVE-2015-7804

• AppSandbox
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application may maintain access to Contacts after having access revoked
  Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox.
  CVE-ID
  CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt

• Bluetooth
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with system privileges
  Description: A memory corruption issue existed in the Bluetooth HCI interface. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7108 : Ian Beer of Google Project Zero

• CFNetwork HTTPProtocol
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: An attacker with a privileged network position may be able to bypass HSTS
  Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation.
  CVE-ID
  CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and Muneaki Nishimura (nishimunea)

• Compression
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.
  CVE-ID
  CVE-2015-7054 : j00ru

• Configuration Profiles
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local attacker may be able to install a configuration profile without admin privileges
  Description: An issue existed when installing configuration profiles. This issue was addressed through improved authorization checks.
  CVE-ID
  CVE-2015-7062 : David Mulder of Dell Software

• CoreGraphics
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
  Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
  CVE-ID
  CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

• CoreMedia Playback
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7074 : Apple
  CVE-2015-7075

• Disk Images
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with kernel privileges
  Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7110 : Ian Beer of Google Project Zero

• EFI
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with system privileges
  Description: A path validation issue existed in the kernel loader. This was addressed through improved environment sanitization.
  CVE-ID
  CVE-2015-7063 : Apple

• File Bookmark
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A sandboxed process may be able to circumvent sandbox restrictions
  Description: A path validation issue existed in app scoped bookmarks. This was addressed through improved environment sanitization.
  CVE-ID
  CVE-2015-7071 : Apple

• Hypervisor
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with system privileges
  Description: A use after free issue existed in the handling of VM objects. This issue was addressed through improved memory management.
  CVE-ID
  CVE-2015-7078 : Ian Beer of Google Project Zero

• iBooks
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information
  Description: An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing.
  CVE-ID
  CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach (@ITSecurityguard)

• ImageIO
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7053 : Apple

• Intel Graphics Driver
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with system privileges
  Description: A null pointer dereference issue was addressed through improved input validation.
  CVE-ID
  CVE-2015-7076 : Juwei Lin of TrendMicro, beist and ABH of BoB, and JeongHoon Shin@A.D.D

• Intel Graphics Driver
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with system privileges
  Description: A memory corruption issue existed in the Intel Graphics Driver. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7106 : Ian Beer of Google Project Zero, Juwei Lin of TrendMicro, beist and ABH of BoB, and JeongHoon Shin@A.D.D

• Intel Graphics Driver
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with system privileges
  Description: An out of bounds memory access issue existed in the Intel Graphics Driver. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7077 : Ian Beer of Google Project Zero

• IOAcceleratorFamily
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7109 : Juwei Lin of TrendMicro

• IOHIDFamily
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7111 : beist and ABH of BoB
  CVE-2015-7112 : Ian Beer of Google Project Zero

• IOKit SCSI
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application may be able to execute arbitrary code with kernel privileges
  Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.
  CVE-ID
  CVE-2015-7068 : Ian Beer of Google Project Zero

• IOThunderboltFamily
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to cause a system denial of service
  Description: A null pointer dereference existed in IOThunderboltFamily's handling of certain userclient types. This issue was addressed through improved validation of IOThunderboltFamily contexts.
  CVE-ID
  CVE-2015-7067 : Juwei Lin of TrendMicro

• Kernel
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local application may be able to cause a denial of service
  Description: Multiple denial of service issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
  CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
  CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
  CVE-2015-7043 : Tarjei Mandt (@kernelpool)

• Kernel
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with kernel privileges
  Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7083 : Ian Beer of Google Project Zero
  CVE-2015-7084 : Ian Beer of Google Project Zero

• Kernel
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with kernel privileges
  Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.
  CVE-ID
  CVE-2015-7047 : Ian Beer of Google Project Zero

• kext tools
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A local user may be able to execute arbitrary code with kernel privileges
  Description: A validation issue existed during the loading of kernel extensions. This issue was addressed through additional verification.
  CVE-ID
  CVE-2015-7052 : Apple

• Keychain Access
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application may be able to masquerade as the Keychain Server.
  Description: An issue existed in how Keychain Access interacted with Keychain Agent. This issue was resolved by removing legacy functionality.
  CVE-ID
  CVE-2015-7045 : Luyi Xing and XiaoFeng Wang of Indiana University Bloomington, Xiaolong Bai of Indiana University Bloomington and Tsinghua University, Tongxin Li of Peking University, Kai Chen of Indiana University Bloomington and Institute of Information Engineering, Xiaojing Liao of Georgia Institute of Technology, Shi-Min Hu of Tsinghua University, and Xinhui Han of Peking University

• libarchive
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2011-2895 : @practicalswift

• libc
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: Processing a maliciously crafted package may lead to arbitrary code execution
  Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
  CVE-ID
  CVE-2015-7038
  CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)

• libexpat
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: Multiple vulnerabilities in expat
  Description: Multiple vulnerabilities existed in expat version prior to 2.1.0. These were addressed by updating expat to versions 2.1.0.
  CVE-ID
  CVE-2012-0876 : Vincent Danen
  CVE-2012-1147 : Kurt Seifried
  CVE-2012-1148 : Kurt Seifried

• libxml2
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
  Description: A memory corruption issue existed in the parsing of XML files. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-3807 : Wei Lei and Liu Yang of Nanyang Technological University

• OpenGL
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7064 : Apple
  CVE-2015-7065 : Apple
  CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks

• OpenLDAP
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A remote unauthenticated client may be able to cause a denial of service
  Description: An input validation issue existed in OpenLDAP. This issue was addressed through improved input validation.
  CVE-ID
  CVE-2015-6908

• OpenSSH
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: Multiple vulnerabilities in LibreSSL
  Description: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8.
  CVE-ID
  CVE-2015-5333
  CVE-2015-5334

• QuickLook
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: Opening a maliciously crafted iWork file may lead to arbitrary code execution
  Description: A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7107

• Sandbox
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application with root privileges may be able to bypass kernel address space layout randomization
  Description: An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.
  CVE-ID
  CVE-2015-7046 : Apple

• Security
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
  Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.

• Security
  Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
  Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in the ASN.1 decoder. These issues were addressed through improved input validation
  CVE-ID
  CVE-2015-7059 : David Keeler of Mozilla
  CVE-2015-7060 : Tyson Smith of Mozilla
  CVE-2015-7061 : Ryan Sleevi of Google

• Security
  Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application may gain access to a user's Keychain items
  Description: An issue existed in the validation of access control lists for keychain items. This issue was addressed through improved access control list checks.
  CVE-ID
  CVE-2015-7058

• System Integrity Protection
  Available for: OS X El Capitan v10.11 and v10.11.1
  Impact: A malicious application with root privileges may be able to execute arbitrary code with system privileges
  Description: A privilege issue existed in handling union mounts. This issue was addressed by improved authorization checks.
  CVE-ID
  CVE-2015-7044 : MacDefender

Notes

• Security Update 2015-008 is recommended for all users and improves the security of OS X. After installing this update, the QuickTime 7 web browser plug-in will no longer be enabled by default. Learn what to do if you still need this legacy plug-in.
• OS X El Capitan v10.11.2 includes the security content of Safari 9.0.2.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Last Modified: Dec 8, 2015

About the security content of iOS 9.2

This document describes the security content of iOS 9.2.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

iOS 9.2

• AppleMobileFileIntegrity
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: An access control issue was addressed by preventing modification of access control structures.
  CVE-ID
  CVE-2015-7055 : Apple

• AppSandbox
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may maintain access to Contacts after having access revoked
  Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox.
  CVE-ID
  CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt

• CFNetwork HTTPProtocol
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: An attacker with a privileged network position may be able to bypass HSTS
  Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation.
  CVE-ID
  CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and Muneaki Nishimura (nishimunea)

• Compression
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.
  CVE-ID
  CVE-2015-7054 : j00ru

• CoreGraphics
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
  Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
  CVE-ID
  CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

• CoreMedia Playback
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7074 : Apple
  CVE-2015-7075

• dyld
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: Multiple segment validation issues existed in dyld. These were addressed through improved environment sanitization.
  CVE-ID
  CVE-2015-7072 : Apple
  CVE-2015-7079 : PanguTeam

• GPUTools Framework
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: Multiple path validation issues existed in Mobile Replayer. These were addressed through improved environment sanitization.
  CVE-ID
  CVE-2015-7069 : Luca Todesco (@qwertyoruiop)
  CVE-2015-7070 : Luca Todesco (@qwertyoruiop)

• iBooks
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information
  Description: An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing.
  CVE-ID
  CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach (@ITSecurityguard)

• ImageIO
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7053 : Apple

• IOHIDFamily
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7111 : beist and ABH of BoB
  CVE-2015-7112 : Ian Beer of Google Project Zero

• IOKit SCSI
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with kernel privileges
  Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.
  CVE-ID
  CVE-2015-7068 : Ian Beer of Google Project Zero

• Kernel
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A local application may be able to cause a denial of service
  Description: Multiple denial of service issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
  CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
  CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
  CVE-2015-7043 : Tarjei Mandt (@kernelpool)

• Kernel
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A local user may be able to execute arbitrary code with kernel privileges
  Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7083 : Ian Beer of Google Project Zero
  CVE-2015-7084 : Ian Beer of Google Project Zero

• Kernel
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A local user may be able to execute arbitrary code with kernel privileges
  Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.
  CVE-ID
  CVE-2015-7047 : Ian Beer of Google Project Zero

• LaunchServices
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: A memory corruption issue existed in the processing of malformed plists. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7113 : Olivier Goguel of Free Tools Association

• libarchive
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2011-2895 : @practicalswift

• libc
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Processing a maliciously crafted package may lead to arbitrary code execution
  Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
  CVE-ID
  CVE-2015-7038
  CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)

• libxml2
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
  Description: A memory corruption issue existed in the parsing of XML files. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-3807 : Wei Lei and Liu Yang of Nanyang Technological University

• MobileStorageMounter
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may be able to execute arbitrary code with system privileges
  Description: A timing issue existed in loading of the trust cache. This issue was resolved by validating the system environment before loading the trust cache.
  CVE-ID
  CVE-2015-7051 : PanguTeam

• OpenGL
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7064 : Apple
  CVE-2015-7065 : Apple
  CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks

• Photos
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: An attacker may be able to use the backup system to access restricted areas of the file system
  Description: A path validation issue existed in Mobile Backup. This was addressed through improved environment sanitization.
  CVE-ID
  CVE-2015-7037 : PanguTeam

• QuickLook
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Opening a maliciously crafted iWork file may lead to arbitrary code execution
  Description: A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7107

• Safari
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a malicious website may lead to user interface spoofing
  Description: An issue may have allowed a website to display content with a URL from a different website. This issue was addressed through improved URL handling.
  CVE-ID
  CVE-2015-7093 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)

• Sandbox
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application with root privileges may be able to bypass kernel address space layout randomization
  Description: An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.
  CVE-ID
  CVE-2015-7046 : Apple

• Security
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
  Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.
  CVE-ID
  CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.

• Security
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A malicious application may gain access to a user's Keychain items
  Description: An issue existed in the validation of access control lists for keychain items. This issue was addressed through improved access control list checks.
  CVE-ID
  CVE-2015-7058

• Siri
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen
  Description: When a request was made to Siri, client side restrictions were not being checked by the server. This issue was addressed through improved restriction checking.
  CVE-ID
  CVE-2015-7080 : Or Safran (www.linkedin.com/profile/view?id=33912591)

• WebKit
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
  Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  CVE-ID
  CVE-2015-7048 : Apple
  CVE-2015-7095 : Apple
  CVE-2015-7096 : Apple
  CVE-2015-7097 : Apple
  CVE-2015-7098 : Apple
  CVE-2015-7099 : Apple
  CVE-2015-7100 : Apple
  CVE-2015-7101 : Apple
  CVE-2015-7102 : Apple
  CVE-2015-7103 : Apple

• WebKit
  Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  Impact: Visiting a maliciously crafted website may reveal a user's browsing history
  Description: An insufficient input validation issue existed in content blocking. This issue was addressed through improved content extension parsing.
  CVE-ID
  CVE-2015-7050 : Luke Li and Jonathan Metzman

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Last Modified: Dec 8, 2015

About the OS X El Capitan v10.11.2 Update

The OS X El Capitan v10.11.2 Update is recommended for all OS X El Capitan users.

The OS X El Capitan v10.11.2 update improves the stability, compatibility, and security of your Mac, and is recommended for all users.

This update:

• Improves Wi-Fi reliability
• Improves the reliability of Handoff and AirDrop
• Fixes an issue that may cause Bluetooth devices to disconnect
• Fixes an issue that prevented Mail from deleting messages in an offline Exchange account
• Fixes an issue that prevented importing photos from an iPhone to a Mac using a USB cable
• Improves iCloud Photo Sharing for Live Photos
• Fixes an issue that may prevent Mail from completing the upgrade
• Fixes an issue that may prevent signing in to FaceTime and Messages

Enterprise content:

• Resolves an issue where reinstalling a configuration profile containing a certificate payload causes the certificates to be removed instead of updated
• Resolves an issue that caused multiple authentication prompts in Safari when using NTLM authentication
• Allows for deferred enablement when using the fdesetup command to enable FileVault with mobile accounts

For detailed information about the security content of this update, see Apple Security Updates.

How to update your Mac

Use the Mac App Store to install the update. It's a good idea to back up up your Mac before updating.

Some updates become available only after installing other updates. You should install all available updates, and allow installation to complete without interruption. You can also get this update from the Apple Support Downloads site. You might have unexpected results if third-party OS X modifications have been installed, or you modified OS X in other ways.

Last Modified: Nov 30, 2015

Apple security updates - Last Modified: Dec 8, 2015

Apple security updates

This document outlines security updates for Apple products.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

This document describes recent updates and releases.

Obtaining OS X

Information about obtaining OS X (client) can be found here. Information about obtaining OS X Server can be found here.

Software updates for OS X are available from:

• Software Update
• Apple Support

Apple Product Security PGP Key

For information, see How to use the Apple Product Security PGP Key.

Security updates

Name and information link	Available for	Release date
Xcode 7.2	OS X Yosemite v10.10.5 or later	8 Dec 2015
Safari 9.0.2	OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1	8 Dec 2015
watchOS 2.1	Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes	8 Dec 2015
OS X El Capitan 10.11.2 and Security Update 2015-008	OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1	8 Dec 2015
tvOS 9.1	Apple TV (4th generation)	8 Dec 2015
iOS 9.2	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	8 Dec 2015
OS X Server 5.0.15	OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later	21 Oct 2015
Xcode 7.1	OS X Yosemite v10.10.5 or later	21 Oct 2015
Mac EFI Security Update 2015-002	OS X Mavericks v10.9.5	21 Oct 2015
iTunes 12.3.1	Windows 7 and later	21 Oct 2015
OS X El Capitan 10.11.1 and Security Update 2015-007	OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11	21 Oct 2015
Safari 9.0.1	OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11	21 Oct 2015
watchOS 2.0.1	Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes	21 Oct 2015
iOS 9.1	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	21 Oct 2015
Keynote 6.6, Pages 5.6, Numbers 3.6, iWork for iOS 2.6	OS X Yosemite v10.10.4 or later, iOS 8.4 or later	15 Oct 2015
OS X El Capitan 10.11	Mac OS X v10.6.8 and later	30 Sept 2015
Safari 9	OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11	30 Sept 2015
iOS 9.0.2	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	30 Sept 2015
watchOS 2	Apple Watch Sport, Apple Watch, and Apple Watch Edition	21 Sept 2015
OS X Server v5.0.3	OS X Yosemite v10.10.5 or later	16 Sept 2015
iTunes 12.3	Windows 7 and later	16 Sept 2015
Xcode 7.0	OS X Yosemite v10.10.4 or later	16 Sept 2015
iOS 9	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	16 Sept 2015
QuickTime 7.7.8	Windows 7 and Windows Vista	20 Aug 2015
OS X Server v4.1.5	OS X Yosemite v10.10.5 or later	13 Aug 2015
iOS 8.4.1	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	13 Aug 2015
OS X Yosemite 10.10.5 and Security Update 2015-006	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4	13 Aug 2015
Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.4	13 Aug 2015
QuickTime 7.7.7	Windows 7 and Windows Vista	30 June 2015
iTunes 12.2	Windows 8 and Windows 7	30 June 2015
Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3	30 June 2015
Mac EFI Security Update 2015-001	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5	30 June 2015
OS X Yosemite 10.10.4 and Security Update 2015-005	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3	30 June 2015
iOS 8.4	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	30 June 2015
Watch OS 1.0.1	Apple Watch Sport, Apple Watch, and Apple Watch Edition	19 May 2015
Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3	06 May 2015
OS X Server 4.1	OS X Yosemite v10.10 or later	08 Apr 2015
Xcode 6.3	OS X Yosemite v10.10 or later	08 Apr 2015
Apple TV 7.2	Apple TV 3rd generation and later	08 Apr 2015
iOS 8.3	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	08 Apr 2015
OS X Yosemite 10.10.3 and Security Update 2015-004	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2	08 Apr 2015
Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2	08 Apr 2015
Security Update 2015-003	OS X Yosemite v10.10.2	19 Mar 2015
Safari 8.0.4, Safari 7.1.4, and Safari 6.2.4	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2	17 Mar 2015
Xcode 6.2	OS X Mavericks v10.9.4 or later	09 Mar 2015
Security Update 2015-002	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2	09 Mar 2015
Apple TV 7.1	Apple TV 3rd generation and later	09 Mar 2015
iOS 8.2	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	09 Mar 2015
OS X v10.10.2 and Security Update 2015-001	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1	27 Jan 2015
Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite  v10.10.1	27 Jan 2015
iOS 8.1.3	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	27 Jan 2015
Apple TV 7.0.3	Apple TV 3rd generation and later	27 Jan 2015
OS X NTP Security Update	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1	22 Dec 2014
Xcode 6.2 beta 3	OS X Mavericks v10.9.4 or later	18 Dec 2014
Safari 8.0.2, Safari 7.1.2, and Safari 6.2.2	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1	11 Dec 2014
iOS 8.1.2	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	9 Dec 2014
Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1	3 Dec 2014
Apple TV 7.0.2	Apple TV 3rd generation and later	17 Nov 2014
OS X Yosemite v10.10.1	OS X Yosemite v10.10	17 Nov 2014
iOS 8.1.1	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	17 Nov 2014
QuickTime 7.7.6	Windows 7, Vista, XP SP2 or later	22 Oct 2014
Apple TV 7.0.1	Apple TV 3rd generation and later	20 Oct 2014
iOS 8.1	iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later	20 Oct 2014
iTunes 12.0.1	Windows 8, Windows 7, Vista, XP SP2 or later	16 Oct 2014
OS X Server v2.2.5	OS X Mountain Lion v10.8.5	16 Oct 2014
OS X Server v3.2.2	OS X Mavericks v10.9.5 or later	16 Oct 2014
OS X Server v4.0	OS X Yosemite v10.10	16 Oct 2014
Security Update 2014-005	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5	16 Oct 2014
OS X Yosemite v10.10	Mac OS X v10.6.8 and later	16 Oct 2014
OS X bash Update 1.0	OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5	29 Sept 2014
OS X Server 2.2.3 and 2.2.4	OS X Mountain Lion v10.8.5	17 Sept 2014
OS X Server 3.2.1	OS X Mavericks v10.9.5	17 Sept 2014
Safari 6.2 and Safari 7.1	OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5	17 Sept 2014
OS X Mavericks 10.9.5 and Security Update 2014-004	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 to v10.9.4	17 Sept 2014
Xcode 6.0.1	OS X Mavericks v10.9.4 or later	17 Sept 2014
Apple TV 7	Apple TV 3rd generation and later	17 Sept 2014
iOS 8	iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later	17 Sept 2014
Safari 6.1.6 and Safari 7.0.6	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4	13 Aug 2014
Apple TV 6.2	Apple TV 2nd generation and later	30 June 2014
iOS 7.1.2	iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later	30 June 2014
OS X Mavericks 10.9.4 and Security Update 2014-003	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.3	30 June 2014
Safari 6.1.5 and Safari 7.0.5	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3	30 June 2014
Safari 6.1.4 and Safari 7.0.4	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3	21 May 2014
OS X Server 3.1.2	OS X Mavericks 10.9.3 or later	20 May 2014
iTunes 11.2.1	Mac OS X v10.6.8 or later	16 May 2014
iTunes 11.2	Windows 8, Windows 7, Vista, XP SP3 or later	15 May 2014
OS X Mavericks 10.9.3	OS X Mavericks 10.9 to 10.9.2	15 May 2014
AirPort Base Station Firmware Update 7.7.3	AirPort Extreme and AirPort Time Capsule base stations with 802.11ac	22 Apr 2014
Apple TV 6.1.1	Apple TV 2nd generation and later	22 Apr 2014
iOS 7.1.1	iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later	22 Apr 2014
Security Update 2014-002	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2	22 Apr 2014
Safari 6.1.3 and Safari 7.0.3	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2	1 Apr 2014
Apple TV 6.1	Apple TV 2nd generation and later	10 Mar 2014
iOS 7.1	iPhone 4 and later, iPod touch (5th generation), iPad 2 and later	10 Mar 2014
QuickTime 7.7.5	Windows 7, Vista, XP SP2 or later	25 Feb 2014
OS X Mavericks 10.9.2 and Security Update 2014-001	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1	25 Feb 2014
Safari 6.1.2 and Safari 7.0.2	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.1	25 Feb 2014
Apple TV 6.0.2	Apple TV 2nd generation and later	21 Feb 2014
iOS 7.0.6	iPhone 4 and later, iPod touch (5th generation), iPad 2 and later	21 Feb 2014
iOS 6.1.6	iPhone 3GS, iPod touch (4th generation)	21 Feb 2014
Boot Camp 5.1	Macs using Boot Camp 5	11 Feb 2014
Pages 5.1 and Pages 2.1	OS X 10.9 or later, iOS 7 or later	23 Jan 2014
iTunes 11.1.4	Mac OS X v10.6.8 or later, Windows 8, Windows 7, Vista, XP SP2 or later	22 Jan 2014
Motion 5.1	OS X Mavericks v10.9 or later	19 Dec 2013
OS X Mavericks v10.9.1	OS X Mavericks v10.9	16 Dec 2013
Safari 6.1.1 and Safari 7.0.1	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9	16 Dec 2013
iOS 7.0.4	iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later	14 Nov 2013
Apple Remote Desktop 3.7	Apple Remote Desktop 3.0 or later	22 Oct 2013
Apple Remote Desktop 3.5.4	Apple Remote Desktop 3.0 or later	22 Oct 2013
OS X Server 3.0	OS X Mavericks v10.9 or later	22 Oct 2013
Keynote 6.0	OS X Mavericks v10.9 or later	22 Oct 2013
OS X Mavericks v10.9	Mac OS X v10.6.8 and later	22 Oct 2013
Safari 6.1	OS X Lion v10.7.5, OS X Mountain Lion v10.8.5	22 Oct 2013
iOS 7.0.3	iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later	22 Oct 2013
Java for OS X 2013-005 and Java for Mac OS X v10.6 Update 17	Mac OS X v10.6.8, OS X Lion v10.7 or later, OS X Mountain Lion v10.8 or later	15 Oct 2013
OS X v10.8.5 Supplemental Update	OS X Mountain Lion v10.8 to v10.8.5	03 Oct 2013
iOS 7.0.2	iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later	26 Sept 2013
Apple TV 6.0	Apple TV 2nd generation and later	19 Sept 2013
Xcode 5.0	OS X Mountain Lion v10.8.4 or later	18 Sept 2013
iOS 7	iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later	18 Sept 2013
iTunes 11.1	Windows 7, Vista, XP SP2 or later	18 Sept 2013
OS X Server v2.2.2	OS X Mountain Lion v10.8 or later	17 Sept 2013
Safari 5.1.10	Mac OS X v10.6.8	12 Sept 2013
OS X Mountain Lion v10.8.5 and Security Update 2013-004	Mac OS X v10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.4	12 Sept 2013
AirPort Base Station Firmware Update 7.6.4	AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule	13 Aug 2013
Security Update 2013-003	Mac OS X v10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8.4	02 July 2013
Java for OS X 2013-004 and Mac OS X v10.6 Update 16	Mac OS X v10.6.8, OS X Lion v10.7 or later, OS X Mountain Lion v10.8 or later	18 June 2013
Safari 6.0.5	OS X Lion v10.7.5, OS X Mountain Lion v10.8.3	04 June 2013
OS X Mountain Lion v10.8.4 and Security Update 2013-002	Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3	04 June 2013
QuickTime 7.7.4	Windows 7, Vista, XP SP2 or later	22 May 2013
iTunes 11.0.3	Mac OS X v10.6.8 or later, Windows 7, Vista, XP SP2 or later	16 May 2013
Java for OS X 2013-003 and Java for Mac OS X v10.6 Update 15	Mac OS X v10.6.8, OS X Lion v10.7 or later, OS X Mountain Lion v10.8 or later	16 Apr 2013
Safari 6.0.4	OS X Lion v10.7.5, OS X Mountain Lion v10.8.3	16 Apr 2013
Apple TV 5.2.1	Apple TV 2nd generation and later	19 Mar 2013
iOS 6.1.3	iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later	19 Mar 2013
Safari 6.0.3	OS X Lion v10.7.5, OS X Mountain Lion v10.8.2	14 Mar 2013
OS X Mountain Lion v10.8.3 and Security Update 2013-001	Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.2	14 Mar 2013
Java for OS X 2013-002 and Java for Mac OS X v10.6 Update 14	Mac OS X v10.6.8, OS X Lion v10.7 or later, OS X Mountain Lion v10.8 or later	04 Mar 2013
Java for OS X 2013-001 and Java for Mac OS X v10.6 Update 13	Mac OS X v10.6.8, OS X Lion v10.7 or later, OS X Mountain Lion v10.8 or later	19 Feb 2013
OS X Server v2.2.1	OS X Mountain Lion v10.8 or later	04 Feb 2013
Java for Mac OS X v10.6 Update 12	Mac OS X v10.6.8	01 Feb 2013
Apple TV 5.2	Apple TV 2nd generation and later	28 Jan 2013
iOS 6.1	iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later	28 Jan 2013

For information about earlier security updates, see these documents:

• Apple security updates (2011 to 2012)
• Apple security updates (2010)
• Apple security updates (15-Jan-2008 to 03-Dec-2009)
• Apple security updates (25-Jan-2005 to 21-Dec-2007)
• Apple security updates (03-Oct-2003 to 11-Jan-2005)
• Apple security updates (August, 2003 and earlier)

Security updates are usually incorporated into later Software Updates

Security updates released for OS X are usually incorporated into the next OS X Software Update.

Security updates may also be available for software released independently from OS X. Software Updates are packaged in a manner to keep systems secure. Security updates are only offered to systems that need the update, and not to later versions that have incorporated the Security Update. For more information, see the "Some, but not all, updates are displayed" section of this document.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Last Modified: Dec 8, 2015