Today, Apple released software updates with security fixes for just about all of its products: macOS, iOS, watchOS, tvOS and Safari. Apple’s security updates are available for all Apple Watch models, iPhone 5 and later, iPad (4th generation and later), iPod touch (6th generation and later), Apple TV (4th generation), OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.
One of the best things you can do to secure your computer is to keep your software up to date, because software vulnerabilities tend to be the easiest point of entry for hackers to circumvent your defenses. For this reason alone, it’s imperative to update the software on your Mac, your iOS devices, Apple TV and on your Apple Watch. Below is a list of issues addressed in Apple’s latest security updates, along with directions on where to obtain the updates.
Listed as an update that improves stability, compatibility and security it addresses the following:
There are also 16 security fixes included. Most notable are patches to security where a local attacker may have been able to observe the length of a login password upon login, the CoreGraphics and ImageIO where viewing or parsing a maliciously crafted JPEG or PDF file may have lead to arbitrary code execution. FontParser also received a patch to prevent the disclosure of sensitive user information if a maliciously crafted font was parsed. FaceTime also received a patch to prevent an attacker in a privileged network position to cause a relayed call to continue transmitting audio while appearing as if the call terminated. The Safari 10.0.1 update is wrapped into this Sierra update as well. The full list of security fixes can be seen below or by visiting the Apple website.
Click here to see the full list of macOS Sierra 10.12.1 security fixesReleased October 24, 2016
AppleGraphicsControl
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved lock state checking.
CVE-2016-4662: Apple
AppleSMC
Available for: macOS Sierra 10.12
Impact: A local user may be able to elevate privileges
Description: A null pointer dereference was addressed through improved locking.
CVE-2016-4678: daybreaker@Minionz working with Trend Micro’s Zero Day Initiative
ATS
Available for: macOS Sierra 10.12
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4667: Simmon Huang of alipay, Thelongestusernameofall@gmail.com, Moony Li of Trend Micro, @Flyic
ATS
Available for: macOS Sierra 10.12
Impact: A local user may be able to execute arbitrary code with additional privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4674: Shrek_wzw of Qihoo 360 Nirvan Team
CFNetwork Proxies
Available for: macOS Sierra 10.12
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts.
CVE-2016-7579: Jerry Decime
CoreGraphics
Available for: macOS Sierra 10.12
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent
FaceTime
Available for: macOS Sierra 10.12
Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated
Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.
CVE-2016-4635: Martin Vigo (@martin_vigo) of salesforce.com
FontParser
Available for: macOS Sierra 10.12
Impact: Parsing a maliciously crafted font may disclose sensitive user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab
ImageIO
Available for: OS X El Capitan v10.11.6
Impact: Parsing a maliciously crafted PDF may lead to arbitrary code execution
Description: An out-of-bounds write was addressed through improved bounds checking.
CVE-2016-4671: Ke Liu of Tencent’s Xuanwu Lab, Juwei Lin (@fuzzerDOTcn)
ImageIO
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing a maliciously crafted image may result in the disclosure of process memory
Description: An out-of-bounds read issue existed in the SGI image parsing. This issue was addressed through improved bounds checking.
CVE-2016-4682: Ke Liu of Tencent’s Xuanwu Lab
libarchive
Available for: macOS Sierra 10.12
Impact: A malicious archive may be able to overwrite arbitrary files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.
CVE-2016-4679: Omer Medan of enSilo Ltd
libxpc
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12
Impact: An application may be able to execute arbitrary code with root privileges
Description: A logic issue was addressed through additional restrictions.
CVE-2016-4675: Ian Beer of Google Project Zero
ntfs
Available for: macOS Sierra 10.12
Impact: An application may be able to cause a denial of service
Description: An issue existed in the parsing of disk images. This issue was addressed through improved validation.
CVE-2016-4661: Recurity Labs on behalf of BSI (German Federal Office for Information Security)
NVIDIA Graphics Drivers
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: An application may be able to cause a denial of service
Description: A memory corruption issue was addressed through improved input validation.
CVE-2016-4663: Apple
Security
Available for: macOS Sierra 10.12
Impact: A local attacker can observe the length of a login password when a user logs in
Description: A logging issue existed in the handling of passwords. This issue was addressed by removing password length logging.
CVE-2016-4670: an anonymous researcher
System Boot
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
CVE-2016-4669: Ian Beer of Google Project Zero
The update can be downloaded by going to the App Store > Updates tab.
Note that Security Update 2016-002 10.11.6 was also released today for El Capitan users and Security Update 2016-006 10.10.5 for Yosemite users. The list of vulnerabilities these updates addressed have been listed on the Sierra 10.12.1 security content page.
These Security Updates can be downloaded through the download links above or the App Store via the Updates tab.
Listed as an update that includes Portrait Camera for iPhone 7 Plus (beta), transit directions for Japan, stability improvements and bug fixes. The list of improvements is lengthy and can be read here. As for security related fixes, there were a total of 13. Most of the same issues that were found in macOS were addressed in iOS as well, including the Security, CoreGraphics, ImageIO and FontParser vulnerabilities. For iOS specifically, two Sandbox Profiles vulnerabilities were addressed to prevent an application from being able to retrieve metadata of photo directories and audio recording directories. The full list of security fixes can be seen below or by visiting the Apple website.
Click here to see the full list of iOS 10.1 security fixesReleased October 24, 2016
CFNetwork Proxies
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts.
CVE-2016-7579: Jerry Decime
Contacts
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to maintain access to the Address Book after access is revoked in Settings
Description: An access control issue in the Address Book was addressed through improved file-link validation.
CVE-2016-4686: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
CoreGraphics
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent
FaceTime
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated
Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.
CVE-2016-4635: Martin Vigo (@martin_vigo) of salesforce.com
FontParser
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Parsing a maliciously crafted font may disclose sensitive user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab
Kernel
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4680: Max Bazaliy of Lookout and in7egral
libarchive
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: A malicious archive may be able to overwrite arbitrary files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.
CVE-2016-4679: Omer Medan of enSilo Ltd
libxpc
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to execute arbitrary code with root privileges
Description: A logic issue was addressed through additional restrictions.
CVE-2016-4675: Ian Beer of Google Project Zero
Sandbox Profiles
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to retrieve metadata of photo directories
Description: An access issue was addressed through additional sandbox restrictions on third party applications.
CVE-2016-4664: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
Sandbox Profiles
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An application may be able to retrieve metadata of audio recording directories
Description: An access issue was addressed through additional sandbox restrictions on third party applications.
CVE-2016-4665: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
Security
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: A local attacker can observe the length of a login password when a user logs in
Description: A logging issue existed in the handling of passwords. This issue was addressed by removing password length logging.
CVE-2016-4670: an anonymous researcher
System Boot
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
CVE-2016-4669: Ian Beer of Google Project Zero
WebKit
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4677: Anonymous working with Trend Micro Zero Day Initiative
The update can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.
A combined 10 security issues were addressed in tvOS 10.0.1, mostly the same as those addressed in iOS. The full list of security fixes can be seen below or by visiting the Apple website.
trigger textClick here to see the full list of tvOS 10.0.1 security fixesReleased October 24, 2016
CFNetwork Proxies
Available for: Apple TV (4th generation)
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: A phishing issue existed in the handling of proxy credentials. This issue was addressed by removing unsolicited proxy password authentication prompts.
CVE-2016-7579: Jerry Decime
CoreGraphics
Available for: Apple TV (4th generation)
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent
FontParser
Available for: Apple TV (4th generation)
Impact: Parsing a maliciously crafted font may disclose sensitive user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab
Kernel
Available for: Apple TV (4th generation)
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4680: Max Bazaliy of Lookout and in7egral
libarchive
Available for: Apple TV (4th generation)
Impact: A malicious archive may be able to overwrite arbitrary files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.
CVE-2016-4679: Omer Medan of enSilo Ltd
libxpc
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with root privileges
Description: A logic issue was addressed through additional restrictions.
CVE-2016-4675: Ian Beer of Google Project Zero
Sandbox Profiles
Available for: Apple TV (4th generation)
Impact: An application may be able to retrieve metadata of photo directories
Description: An access issue was addressed through additional sandbox restrictions on third party applications.
CVE-2016-4664: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
Sandbox Profiles
Available for: Apple TV (4th generation)
Impact: An application may be able to retrieve metadata of audio recording directories
Description: An access issue was addressed through additional sandbox restrictions on third party applications.
CVE-2016-4665: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
System Boot
Available for: Apple TV (4th generation)
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
CVE-2016-4669: Ian Beer of Google Project Zero
WebKit
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4677: Anonymous working with Trend Micro’s Zero Day Initiative
The update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Listed as an update that includes improvements and bug fixes.
The update also includes 8 security fixes, which are the same as those addressed in iOS 10.1. The full list of security fixes can be seen below or by visiting the Apple website.
Click here to see the full list of watchOS 3.1 security fixesReleased October 24, 2016
CoreGraphics
Available for: All Apple Watch models
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent
FontParser
Available for: All Apple Watch models
Impact: Parsing a maliciously crafted font may disclose sensitive user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2016-4660: Ke Liu of Tencent’s Xuanwu Lab
Kernel
Available for: All Apple Watch models
Impact: An application may be able to disclose kernel memory
Description: A validation issue was addressed through improved input sanitization.
CVE-2016-4680: Max Bazaliy of Lookout and in7egral
libarchive
Available for: All Apple Watch models
Impact: A malicious archive may be able to overwrite arbitrary files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization.
CVE-2016-4679: Omer Medan of enSilo Ltd
libxpc
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with root privileges
Description: A logic issue was addressed through additional restrictions.
CVE-2016-4675: Ian Beer of Google Project Zero
Sandbox Profiles
Available for: All Apple Watch models
Impact: An application may be able to retrieve metadata of photo directories
Description: An access issue was addressed through additional sandbox restrictions on third party applications.
CVE-2016-4664: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
Sandbox Profiles
Available for: All Apple Watch models
Impact: An application may be able to retrieve metadata of audio recording directories
Description: An access issue was addressed through additional sandbox restrictions on third party applications.
CVE-2016-4665: Razvan Deaconescu, Mihai Chiroiu (University POLITEHNICA of Bucharest); Luke Deshotels, William Enck (North Carolina State University); Lucas Vincenzo Davi, Ahmad-Reza Sadeghi (TU Darmstadt)
System Boot
Available for: All Apple Watch models
Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel
Description: Multiple input validation issues existed in MIG generated code. These issues were addressed through improved validation.
CVE-2016-4669: Ian Beer of Google Project Zero
The update can be installed by connecting the watch to its charger then on the iPhone open the Apple Watch app > My Watch tab > General > Software Update.
Available for OS X Yosemite 10.10.5, OS X El Capitan 10.11.6 and macOS Sierra 10.12 and fixes 3 WebKit vulnerabilities. Those 3 vulnerabilities were enough for Apple to push out this update as they address arbitrary code execution and the disclosure of sensitive user information if a maliciously crafted website is visited. The full details of the security fixes can be seen below or by visiting the Apple website.
Click here to see the full list of Safari 10.0.1 security fixesReleased October 24, 2016
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4666: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12
Impact: Processing maliciously crafted web content may lead to the disclosure of sensitive user information
Description: A cross-origin issue existed with location attributes. This was addressed through improved tracking of location attributes across origins.
CVE-2016-4676: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4677: Anonymous working with Trend Micro’s Zero Day Initiative
The update can be downloaded by going to the App Store > Updates tab. It will be visible for Yosemite and El Capitan users as an available update, but if current Sierra users want it they will have to install the before mentioned 10.12.1 update which has the Safari security fixes built in.
Before installing any updates, we recommend that you backup your data and just in case something falls afoul during the update process.
