The Mac Security Blog

Security News

Apple Updates OS X El Capitan, Issues Security Update 2016-002

Posted on by

Software Update

This week, Apple released security updates for nearly all of its software, and if you haven’t already done so, you should install them to steer clear of the bad guys who might attempt to exploit the now known vulnerabilities.

We encourage all Apple users to download and install all relevant software updates — patching holes in your software’s armor is your first line of defense to protect yourself against known vulnerabilities. It only takes a few moments to update your software, and if doing so can help ensure hackers don’t ruin your day, updating is time well spent.

iPhone and iPad users should get iOS 9.3 to fix the iMessage encryption flaw. Mac users should grab OS X El Capitan 10.11.4, or Security Update 2016-002, which patches the vulnerabilities described below. If you browse the web using Safari, you should fetch the latest patches in Safari 9.1 to close a security hole that could leak potentially sensitive information. Furthermore, Apple Watch users should update to watchOS 2.2, while Apple TV users should install tvOS 9.2.

OS X Mavericks Yosemite El Capitan logos

Security Update 2016-002 is available for OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11 to 10.11.3.

Security Update 2016-002 includes fixes for the following security bugs:

  • CVE-2015-8126, CVE-2015-8472 : Processing a maliciously crafted .png file may lead to arbitrary code execution. Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.
  • CVE-2016-1733 : An application may be able to execute arbitrary code with kernel privileges. A memory corruption issue was addressed through improved input validation.
  • CVE-2016-1732 : A local user may be able to determine kernel memory layout. An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
  • CVE-2016-1734 : An application may be able to execute arbitrary code with kernel privileges. A memory corruption issue existed in the parsing of data from USB devices. This issue was addressed through improved input validation.
  • CVE-2016-1735, CVE-2016-1736 : An application may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1737 : Processing a maliciously crafted .dfont file may lead to arbitrary code execution. Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.
  • CVE-2016-1738 : An attacker may tamper with code-signed applications to execute arbitrary code in the application’s context. A code signing verification issue existed in dyld. This issue was addressed with improved validation.
  • CVE-2016-1740 : Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue was addressed through improved memory handling.
  • CVE-2015-8659 : A remote attacker may be able to execute arbitrary code. Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.
  • CVE-2016-1743, CVE-2016-1744 : An application may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1745 : A local user may be able to cause a denial of service. A null pointer dereference was addressed through improved validation.
  • CVE-2016-1746, CVE-2016-1747 : An application may be able to execute arbitrary code with kernel privileges. A memory corruption issue was addressed through improved input validation.
  • CVE-2016-1748 : An application may be able to determine kernel memory layout. A memory corruption issue was addressed through improved memory handling.
  • CVE-2016-1749 : An application may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1750 : An application may be able to execute arbitrary code with kernel privileges. A use after free issue was addressed through improved memory management.
  • CVE-2016-1757 : An application may be able to execute arbitrary code with kernel privileges. A race condition existed during the creation of new processes. This was addressed through improved state handling.
  • CVE-2016-1756 : An application may be able to execute arbitrary code with kernel privileges. A null pointer dereference was addressed through improved input validation.
  • CVE-2016-1754, CVE-2016-1755, CVE-2016-1759 : An application may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1758 : An application may be able to determine kernel memory layout. An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
  • CVE-2016-1753 : An application may be able to execute arbitrary code with kernel privileges. Multiple integer overflows were addressed through improved input validation.
  • CVE-2016-1752 : An application may be able to cause a denial of service. A denial of service issue was addressed through improved validation.
  • CVE-2015-1819, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500CVE-2015-7942, CVE-2015-8035, CVE-2015-8242, CVE-2016-1761, CVE-2016-1762 : Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1788 : An attacker who is able to bypass Apple’s certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments. A cryptographic issue was addressed by rejecting duplicate messages on the client.
  • CVE-2016-1764 : Clicking a JavaScript link can reveal sensitive user information. An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks.
  • CVE-2016-1741 : An application may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-0777, CVE-2016-0778 : Connecting to a server may leak sensitive user information, such as a client’s private keys. Roaming, which was on by default in the OpenSSH client, exposed an information leak and a buffer overflow. These issues were addressed by disabling roaming in the client.
  • CVE-2015-5333, CVE-2015-5334 : Multiple vulnerabilities in LibreSSL. Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8.
  • CVE-2015-3195 : A remote attacker may be able to cause a denial of service. A memory leak existed in OpenSSL versions prior to 0.9.8zh. This issue was addressed by updating OpenSSL to version 0.9.8zh.
  • CVE-2014-9495, CVE-2015-0973, CVE-2015-8126, CVE-2015-8472 : Processing a maliciously crafted .png file may lead to arbitrary code execution. Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.
  • CVE-2016-1767, CVE-2016-1768 : Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1769 : Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution. Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2016-1770 : Clicking a tel link can make a call without prompting the user. A user was not prompted before invoking a call. This was addressed through improved entitlement checks.
  • CVE-2015-7551 : A local attacker may be able to cause unexpected application termination or arbitrary code execution. An unsafe tainted string usage vulnerability existed in versions prior to 2.0.0-p648. This issue was addressed by updating to version 2.0.0-p648.
  • CVE-2016-1773 : A local user may be able to check for the existence of arbitrary files. A permissions issue existed in code signing tools. This was addressed though additional ownership checks.
  • CVE-2016-1950 : Processing a maliciously crafted certificate may lead to arbitrary code execution. A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.
  • CVE-2015-8126 : Processing a maliciously crafted .png file may lead to arbitrary code execution. Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by removing libpng.
  • CVE-2016-1775 : Processing a maliciously crafted font file may lead to arbitrary code execution. A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
  • CVE-2016-0801, CVE-2016-0802 : An attacker with a privileged network position may be able to execute arbitrary code. A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.

Before updating your operating system, it’s always a good plan to back up your Mac’s files in case of malfunction or other disaster. El Capitan users can head over to the El Capitan page on the Mac App Store to get OS X El Capitan 10.11.4, which includes the security content of Safari 9.1.

Downloads