logo
DATABASE RESOURCES PRICING ABOUT US

About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite

Description

# About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite This document describes the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite. ## About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page. For more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>). Apple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible. ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite Released March 27, 2017 **apache** Available for: macOS Sierra 10.12.3 Impact: A remote attacker may be able to cause a denial of service Description: Multiple issues existed in Apache before 2.4.25. These were addressed by updating Apache to version 2.4.25. CVE-2016-0736 CVE-2016-2161 CVE-2016-5387 CVE-2016-8740 CVE-2016-8743 Entry updated March 28, 2017 **apache_mod_php** Available for: macOS Sierra 10.12.3 Impact: Multiple issues existed in PHP before 5.6.30 Description: Multiple issues existed in PHP before 5.6.30. These were addressed by updating PHP to version 5.6.30. CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161 CVE-2016-9935 **AppleGraphicsPowerManagement** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed through improved memory handling. CVE-2017-2421: @cocoahuke **AppleRAID** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-2017-2438: sss and Axis of 360Nirvanteam **Audio** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2430: an anonymous researcher working with Trend Micro’s Zero Day Initiative CVE-2017-2462: an anonymous researcher working with Trend Micro’s Zero Day Initiative **Bluetooth** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2420: Pekka Oikarainen, Matias Karhumaa and Marko Laakso of Synopsys Software Integrity Group **Bluetooth** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2427: Axis and sss of Qihoo 360 Nirvan Team **Bluetooth** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-2017-2449: sss and Axis from 360NirvanTeam **Carbon** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-2017-2379: riusksk (泉哥) of Tencent Security Platform Department, John Villamil, Doyensec **CoreGraphics** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted image may lead to a denial of service Description: An infinite recursion was addressed through improved state management. CVE-2017-2417: riusksk (泉哥) of Tencent Security Platform Department **CoreMedia** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted .mov file may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of .mov files. This issue was addressed through improved memory management. CVE-2017-2431: kimyok of Tencent Security Platform Department **CoreText** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2435: John Villamil, Doyensec **CoreText** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed through improved input validation. CVE-2017-2450: John Villamil, Doyensec **CoreText** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted text message may lead to application denial of service Description: A resource exhaustion issue was addressed through improved input validation. CVE-2017-2461: Isaac Archambault of IDAoADI, an anonymous researcher **curl** Available for: macOS Sierra 10.12.3 Impact: Maliciously crafted user input to libcurl API may allow arbitrary code execution Description: A buffer overflow was addressed through improved bounds checking. CVE-2016-9586: Daniel Stenberg of Mozilla **EFI** Available for: macOS Sierra 10.12.3 Impact: A malicious Thunderbolt adapter may be able to recover the FileVault 2 encryption password Description: An issue existed in the handling of DMA. This issue was addressed by enabling VT-d in EFI. CVE-2016-7585: Ulf Frisk (@UlfFrisk) **FinderKit** Available for: macOS Sierra 10.12.3 Impact: Permissions may unexpectedly reset when sending links Description: A permission issue existed in the handling of the Send Link feature of iCloud Sharing. This issue was addressed through improved permission controls. CVE-2017-2429: Raymond Wong DO of Arnot Ogden Medical Center Entry updated August 23, 2017 **FontParser** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2487: riusksk (泉哥) of Tencent Security Platform Department CVE-2017-2406: riusksk (泉哥) of Tencent Security Platform Department **FontParser** Available for: macOS Sierra 10.12.3 Impact: Parsing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2407: riusksk (泉哥) of Tencent Security Platform Department **FontParser** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed through improved input validation. CVE-2017-2439: John Villamil, Doyensec **FontParser** Available for: OS X El Capitan v10.11.6 and OS X Yosemite v10.10.5 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-2016-4688: Simon Huang of Alipay company Entry added April 11, 2017 **HTTPProtocol** Available for: macOS Sierra 10.12.3 Impact: A malicious HTTP/2 server may be able to cause undefined behavior Description: Multiple issues existed in nghttp2 before 1.17.0. These were addressed by updating nghttp2 to version 1.17.0. CVE-2017-2428 Entry updated March 28, 2017 **Hypervisor** Available for: macOS Sierra 10.12.3 Impact: Applications using the Hypervisor framework may unexpectedly leak the CR8 control register between guest and host Description: An information leakage issue was addressed through improved state management. CVE-2017-2418: Alex Fishman and Izik Eidus of Veertu Inc. **iBooks** Available for: macOS Sierra 10.12.3 Impact: Parsing a maliciously crafted iBooks file may lead to local file disclosure Description: An information leak existed in the handling of file URLs. This issue was addressed through improved URL handling. CVE-2017-2426: Craig Arendt of Stratum Security, Jun Kokatsu (@shhnjk) **ImageIO** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2416: Qidan He (何淇丹, @flanker_hqd) of KeenLab, Tencent **ImageIO** Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5 Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2432: an anonymous researcher working with Trend Micro's Zero Day Initiative **ImageIO** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2467 **ImageIO** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted image may lead to unexpected application termination Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in ImageIO to version 4.0.7. CVE-2016-3619 **Intel Graphics Driver** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2443: Ian Beer of Google Project Zero **Intel Graphics Driver** Available for: macOS Sierra 10.12.3 Impact: An application may be able to disclose kernel memory Description: A validation issue was addressed through improved input sanitization. CVE-2017-2489: Ian Beer of Google Project Zero Entry added March 31, 2017 **IOATAFamily** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2408: Yangkang (@dnpushme) of Qihoo360 Qex Team **IOFireWireAVC** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2436: Orr A, IBM Security **IOFireWireAVC** Available for: macOS Sierra 10.12.3 Impact: A local attacker may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2437: Benjamin Gnahm (@mitp0sh) of Blue Frost Security **IOFireWireFamily** Available for: macOS Sierra 10.12.3 Impact: An application may be able to cause a denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2017-2388: Brandon Azad, an anonymous researcher **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2398: Lufeng Li of Qihoo 360 Vulcan Team CVE-2017-2401: Lufeng Li of Qihoo 360 Vulcan Team **Kernel** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation. CVE-2017-2410: Apple **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: An integer overflow was addressed through improved input validation. CVE-2017-2440: an anonymous researcher **Kernel** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: A race condition was addressed through improved memory handling. CVE-2017-2456: lokihardt of Google Project Zero **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-2017-2472: Ian Beer of Google Project Zero **Kernel** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2473: Ian Beer of Google Project Zero **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: An off-by-one issue was addressed through improved bounds checking. CVE-2017-2474: Ian Beer of Google Project Zero **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed through improved locking. CVE-2017-2478: Ian Beer of Google Project Zero **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-2482: Ian Beer of Google Project Zero CVE-2017-2483: Ian Beer of Google Project Zero **Kernel** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with elevated privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2490: Ian Beer of Google Project Zero, The UK's National Cyber Security Centre (NCSC) Entry added March 31, 2017 **Kernel** Available for: macOS Sierra 10.12.3 Impact: The screen may unexpectedly remain unlocked when the lid is closed Description: An insufficient locking issue was addressed with improved state management. CVE-2017-7070: Ed McKenzie Entry added August 10, 2017 **Keyboards** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code Description: A buffer overflow was addressed through improved bounds checking. CVE-2017-2458: Shashank (@cyberboyIndia) **Keychain** Available for: macOS Sierra 10.12.3 Impact: An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain. Description: In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets. This issue was addressed through improved validation. CVE-2017-2448: Alex Radocea of Longterm Security, Inc. Entry updated March 30, 2017 **libarchive** Available for: macOS Sierra 10.12.3 Impact: A local attacker may be able to change file system permissions on arbitrary directories Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks. CVE-2017-2390: Omer Medan of enSilo Ltd **libc++abi** Available for: macOS Sierra 10.12.3 Impact: Demangling a malicious C++ application may lead to arbitrary code execution Description: A use after free issue was addressed through improved memory management. CVE-2017-2441 **LibreSSL** Available for: macOS Sierra 10.12.3 and OS X El Capitan v10.11.6 Impact: A local user may be able to leak sensitive user information Description: A timing side channel allowed an attacker to recover keys. This issue was addressed by introducing constant time computation. CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere University of Technology) **libxslt** Available for: OS X El Capitan v10.11.6 Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2477 Entry added March 30, 2017 **libxslt** Available for: macOS Sierra 10.12.3, OS X El Capitan v10.11.6, and Yosemite v10.10.5 Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-5029: Holger Fuhrmannek Entry added March 28, 2017 **MCX Client** Available for: macOS Sierra 10.12.3 Impact: Removing a configuration profile with multiple payloads may not remove Active Directory certificate trust Description: An issue existed in profile uninstallation. This issue was addressed through improved cleanup. CVE-2017-2402: an anonymous researcher **Menus** Available for: macOS Sierra 10.12.3 Impact: An application may be able to disclose process memory Description: An out-of-bounds read was addressed through improved input validation. CVE-2017-2409: Sergey Bylokhov **Multi-Touch** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2422: @cocoahuke **OpenSSH** Available for: macOS Sierra 10.12.3 Impact: Multiple issues in OpenSSH Description: Multiple issues existed in OpenSSH before version 7.4. These were addressed by updating OpenSSH to version 7.4. CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 **OpenSSL** Available for: macOS Sierra 10.12.3 Impact: A local user may be able to leak sensitive user information Description: A timing side channel issue was addressed by using constant time computation. CVE-2016-7056: Cesar Pereida García and Billy Brumley (Tampere University of Technology) **Printing** Available for: macOS Sierra 10.12.3 Impact: Clicking a malicious IPP(S) link may lead to arbitrary code execution Description: An uncontrolled format string issue was addressed through improved input validation. CVE-2017-2403: beist of GrayHash **python** Available for: macOS Sierra 10.12.3 Impact: Processing maliciously crafted zip archives with Python may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of zip archives. This issue was addressed through improved input validation. CVE-2016-5636 **QuickTime** Available for: macOS Sierra 10.12.3 Impact: Viewing a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in QuickTime. This issue was addressed through improved memory handling. CVE-2017-2413: Simon Huang(@HuangShaomang) and pjf of IceSword Lab of Qihoo 360 **Security** Available for: macOS Sierra 10.12.3 Impact: Validating empty signatures with SecKeyRawVerify() may unexpectedly succeed Description: An validation issue existed with cryptographic API calls. This issue was addressed through improved parameter validation. CVE-2017-2423: an anonymous researcher **Security** Available for: macOS Sierra 10.12.3 Impact: An application may be able to execute arbitrary code with root privileges Description: A buffer overflow was addressed through improved bounds checking. CVE-2017-2451: Alex Radocea of Longterm Security, Inc. **Security** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted x509 certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the parsing of certificates. This issue was addressed through improved input validation. CVE-2017-2485: Aleksandar Nikolic of Cisco Talos **SecurityFoundation** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A double free issue was addressed through improved memory management. CVE-2017-2425: kimyok of Tencent Security Platform Department **sudo** Available for: macOS Sierra 10.12.3 Impact: A user in an group named "admin" on a network directory server may be able to unexpectedly escalate privileges using sudo Description: An access issue existed in sudo. This issue was addressed through improved permissions checking. CVE-2017-2381 **System Integrity Protection** Available for: macOS Sierra 10.12.3 Impact: A malicious application may be able to modify protected disk locations Description: A validation issue existed in the handling of system installation. This issue was addressed through improved handling and validation during the installation process. CVE-2017-6974: Patrick Wardle of Synack **tcpdump** Available for: macOS Sierra 10.12.3 Impact: An attacker in a privileged network position may be able to execute arbitrary code with user assistance Description: Multiple issues existed in tcpdump before 4.9.0. These were addressed by updating tcpdump to version 4.9.0. CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486 **tiffutil** Available for: macOS Sierra 10.12.3 Impact: Processing a maliciously crafted image may lead to unexpected application termination Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in AKCmds to version 4.0.7. CVE-2016-3619 CVE-2016-9533 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite includes the security content of [Safari 10.1](<https://support.apple.com/kb/HT207600>). ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## Additional recognition **XNU** We would like to acknowledge Lufeng Li of Qihoo 360 Vulcan Team for their assistance. Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information. Published Date: August 29, 2017


Affected Software


CPE Name Name Version
macos sierra 10.12.3
os x el capitan v 10.11.6
and os x yosemite v 10.10.5

Related