About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002 - Apple Support

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

OS X El Capitan 10.11.4 and Security Update 2016-002

• apache_mod_php

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution

Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.

CVE-ID

CVE-2015-8126 : Adam Mariš

CVE-2015-8472 : Adam Mariš

• AppleRAID

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-ID

CVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team

• AppleRAID

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A local user may be able to determine kernel memory layout

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.

CVE-ID

CVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team

• AppleUSBNetworking

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A USB device may be able to cause a denial of service

Description: An error handling issue existed in packet validation. This issue was addressed through improved error handling.

CVE-ID

CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path

• Bluetooth

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1735 : Jeonghoon [email protected]

CVE-2016-1736 : beist and ABH of BoB

• Carbon

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution

Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.

CVE-ID

CVE-2016-1737 : HappilyCoded (ant4g0nist &r3dsm0k3)

• dyld

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An attacker may tamper with code-signed applications to execute arbitrary code in the application’s context

Description: A code signing verification issue existed in dyld. This issue was addressed with improved validation.

CVE-ID

CVE-2016-1738 : beist and ABH of BoB

• FontParser

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro’s Zero Day Initiative (ZDI)

• HTTPProtocol

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A remote attacker may be able to execute arbitrary code

Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.

CVE-ID

CVE-2015-8659

• Intel Graphics Driver

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1743 : Piotr Bania of Cisco Talos

CVE-2016-1744 : Ian Beer of Google Project Zero

• IOFireWireFamily

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A local user may be able to cause a denial of service

Description: A null pointer dereference was addressed through improved validation.

CVE-ID

CVE-2016-1745 : sweetchip of Grayhash

• IOGraphics

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed through improved input validation.

CVE-ID

CVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro’s Zero Day Initiative (ZDI)

CVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro’s Zero Day Initiative (ZDI)

• IOHIDFamily

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to determine kernel memory layout

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1748 : Brandon Azad

• IOUSBFamily

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of Trend Micro working with Trend Micro’s Zero Day Initiative (ZDI)

• Kernel

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed through improved memory management.

CVE-ID

CVE-2016-1750 : CESG

• Kernel

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition existed during the creation of new processes. This was addressed through improved state handling.

CVE-ID

CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaça

• Kernel

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A null pointer dereference was addressed through improved input validation.

CVE-ID

CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team

• Kernel

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team

CVE-2016-1755 : Ian Beer of Google Project Zero

CVE-2016-1759 : lokihardt

• Kernel

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to determine kernel memory layout

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.

CVE-ID

CVE-2016-1758 : Brandon Azad

• Kernel

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple integer overflows were addressed through improved input validation.

CVE-ID

CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro’s Zero Day Initiative (ZDI)

• Kernel

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to cause a denial of service

Description: A denial of service issue was addressed through improved validation.

CVE-ID

CVE-2016-1752 : CESG

• libxml2

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2015-1819

CVE-2015-5312 : David Drysdale of Google

CVE-2015-7499

CVE-2015-7500 : Kostya Serebryany of Google

CVE-2015-7942 : Kostya Serebryany of Google

CVE-2015-8035 : gustavo.grieco

CVE-2015-8242 : Hugh Davenport

CVE-2016-1761 : wol0xff working with Trend Micro’s Zero Day Initiative (ZDI)

CVE-2016-1762

• Messages

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Clicking a JavaScript link can reveal sensitive user information

Description: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks.

CVE-ID

CVE-2016-1764 : Matthew Bryant of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox

• Messages

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An attacker who is able to bypass Apple’s certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments

Description: A cryptographic issue was addressed by rejecting duplicate messages on the client.

CVE-ID

CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University

• NVIDIA Graphics Drivers

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1741 : Ian Beer of Google Project Zero

• OpenSSH

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

Impact: Connecting to a server may leak sensitive user information, such as a client’s private keys

Description: Roaming, which was on by default in the OpenSSH client, exposed an information leak and a buffer overflow. These issues were addressed by disabling roaming in the client.

CVE-ID

CVE-2016-0777 : Qualys

CVE-2016-0778 : Qualys

• OpenSSH

Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5

Impact: Multiple vulnerabilities in LibreSSL

Description: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8.

CVE-ID

CVE-2015-5333 : Qualys

CVE-2015-5334 : Qualys

• OpenSSL

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A remote attacker may be able to cause a denial of service

Description: A memory leak existed in OpenSSL versions prior to 0.9.8zh. This issue was addressed by updating OpenSSL to version 0.9.8zh.

CVE-ID

CVE-2015-3195

• Python

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution

Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20.

CVE-ID

CVE-2014-9495

CVE-2015-0973

CVE-2015-8126 : Adam Mariš

CVE-2015-8472 : Adam Mariš

• QuickTime

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1767 : Francis Provencher from COSIG

CVE-2016-1768 : Francis Provencher from COSIG

• QuickTime

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1769 : Francis Provencher from COSIG

• Reminders

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Clicking a tel link can make a call without prompting the user

Description: A user was not prompted before invoking a call. This was addressed through improved entitlement checks.

CVE-ID

CVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of Laurent.ca

• Ruby

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An unsafe tainted string usage vulnerability existed in versions prior to 2.0.0-p648. This issue was addressed by updating to version 2.0.0-p648.

CVE-ID

CVE-2015-7551

• Security

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: A local user may be able to check for the existence of arbitrary files

Description: A permissions issue existed in code signing tools. This was addressed though additional ownership checks.

CVE-ID

CVE-2016-1773 : Mark Mentovai of Google Inc.

• Security

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.

CVE-ID

CVE-2016-1950 : Francis Gabriel of Quarkslab

• Tcl

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution

Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by removing libpng.

CVE-ID

CVE-2015-8126

• TrueTypeScaler

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

CVE-ID

CVE-2016-1775 : 0x1byte working with Trend Micro’s Zero Day Initiative (ZDI)

• Wi-Fi

Available for: OS X El Capitan v10.11 to v10.11.3

Impact: An attacker with a privileged network position may be able to execute arbitrary code

Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.

CVE-ID

CVE-2016-0801 : an anonymous researcher

CVE-2016-0802 : an anonymous researcher

OS X El Capitan 10.11.4 includes the security content of Safari 9.1.