logo
DATABASE RESOURCES PRICING ABOUT US

About the security content of macOS Sierra 10.12 - Apple Support

Description

## About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page. For more information about security, see the [Apple Product Security](<https://www.apple.com/support/security/>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>). Apple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible. ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## macOS Sierra 10.12 Released September 20, 2016 **apache** Available for: OS X Lion v10.7.5 and later Impact: A remote attacker may be able to proxy traffic through an arbitrary server Description: An issue existed in the handling of the HTTP_PROXY environment variable. This issue was addressed by not setting the HTTP_PROXY environment variable from CGI. CVE-2016-4694: Dominic Scheirlinck and Scott Geary of Vend **apache_mod_php** Available for: OS X Lion v10.7.5 and later Impact: Multiple issues in PHP, the most significant of which may lead to unexpected application termination or arbitrary code execution. Description: Multiple issues in PHP were addressed by updating PHP to version 5.6.24. CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 CVE-2016-6174 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 **Apple HSSPI Support** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4697: Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative **AppleEFIRuntime** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4696: Shrek_wzw of Qihoo 360 Nirvan Team **AppleMobileFileIntegrity** Available for: OS X Lion v10.7.5 and later Impact: A local application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the task port inheritance policy. This issue was addressed through improved validation of the process entitlement and Team ID. CVE-2016-4698: Pedro Vilaça **AppleUUC** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2016-4699: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro's Zero Day Initiative CVE-2016-4700: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro’s Zero Day Initiative **Application Firewall** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to cause a denial of service Description: A validation issue existed in the handling of firewall prompts. This issue was addressed through improved validation of SO_EXECPATH. CVE-2016-4701: Meder Kydyraliev Google Security Team **ATS** Available for: OS X Lion v10.7.5 and later Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4779: riusksk of Tencent Security Platform Department **Audio** Available for: OS X Lion v10.7.5 and later Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4702: YoungJin Yoon, MinSik Shin, HoJae Han, Sunghyun Park, and Taekyoung Kwon of Information Security Lab, Yonsei University. **Bluetooth** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4703: Juwei Lin (@fuzzerDOTcn) of Trend Micro **cd9660** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to cause a system denial of service Description: An input validation issue was addressed through improved memory handling. CVE-2016-4706: Recurity Labs on behalf of BSI (German Federal Office for Information Security) **CFNetwork** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to discover websites a user has visited Description: An issue existed in Local Storage deletion. This issue was addressed through improved Local Storage cleanup. CVE-2016-4707: an anonymous researcher **CFNetwork** Available for: OS X Lion v10.7.5 and later Impact: Processing maliciously crafted web content may compromise user information Description: An input validation issue existed in the parsing of the set-cookie header. This issue was addressed through improved validation checking. CVE-2016-4708: Dawid Czagan of Silesia Security Lab **CommonCrypto** Available for: OS X Lion v10.7.5 and later Impact: An application using CCrypt may disclose sensitive plaintext if the output and input buffer are the same Description: An input validation issue existed in corecrypto. This issue was addressed through improved input validation. CVE-2016-4711: Max Lohrmann **CoreCrypto** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code Description: An out-of-bounds write issue was addressed by removing the vulnerable code. CVE-2016-4712: Gergo Koteles **CoreDisplay** Available for: OS X Lion v10.7.5 and later Impact: A user with screen sharing access may be able to view another user's screen Description: A session management issue existed in the handling of screen sharing sessions. This issue was addressed through improved session tracking. CVE-2016-4713: Ruggero Alberti **curl** Available for: OS X Lion v10.7.5 and later Impact: Multiple issues in curl Description: Multiple security issues existed in curl prior to version 7.49.1. These issues were addressed by updating curl to version 7.49.1. CVE-2016-0755: Isaac Boukris **Date & Time Pref Pane** Available for: OS X Lion v10.7.5 and later Impact: A malicious application may be able to determine a user's current location Description: An issue existed in the handling of the .GlobalPreferences file. This was addressed though improved validation. CVE-2016-4715: Taiki (@Taiki__San) at ESIEA (Paris) **DiskArbitration** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to execute arbitrary code with system privileges Description: An access issue existed in diskutil. This issue was addressed through improved permissions checking. CVE-2016-4716: Alexander Allen of The North Carolina School of Science and Mathematics **File Bookmark** Available for: OS X Lion v10.7.5 and later Impact: A local application may be able to cause a denial of service Description: A resource management issue existed in the handling of scoped bookmarks. This issue was addressed through improved file descriptor handling. CVE-2016-4717: Tom Bradley of 71Squared Ltd **FontParser** Available for: OS X Lion v10.7.5 and later Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-2016-4718: Apple **IDS - Connectivity** Available for: OS X Lion v10.7.5 and later Impact: An attacker in a privileged network position may be able to cause a denial of service Description: A spoofing issue existed in the handling of Call Relay. This issue was addressed through improved input validation. CVE-2016-4722: Martin Vigo (@martin_vigo) of salesforce.com **ImageIO** Available for: OS X Lion v10.7.5 and later Impact: Processing maliciously crafted image may result in the disclosure of process memory Description: An out-of-bounds read issue existed in the SGI image parsing. This issue was addressed through improved bounds checking. CVE-2016-4682: Ke Liu of Tencent's Xuanwu Lab Entry added October 24, 2016 **Intel Graphics Driver** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4723: daybreaker of Minionz **Intel Graphics Driver** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-2016-7582: Liang Chen of Tencent KeenLab Entry added November 14, 2016 **IOAcceleratorFamily** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4724: Cererdlong, Eakerqiu of Team OverSky **IOAcceleratorFamily** Available for: OS X Lion v10.7.5 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4725: Rodger Combs of Plex, Inc **IOAcceleratorFamily** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4726: an anonymous researcher **IOThunderboltFamily** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4727: wmin working with Trend Micros Zero Day Initiative **Kerberos v5 PAM module** Available for: OS X Lion v10.7.5 and later Impact: A remote attacker may determine the existence of user accounts Description: A timing side channel allowed an attacker to determine the existence of user accounts on a system. This issue was addressed by introducing constant time checks. CVE-2016-4745: an anonymous researcher **Kernel** Available for: OS X Lion v10.7.5 and later Impact: A local application may be able to access restricted files Description: A parsing issue in the handling of directory paths was addressed through improved path validation. CVE-2016-4771: Balazs Bucsay, Research Director of MRG Effitas **Kernel** Available for: OS X Lion v10.7.5 and later Impact: A remote attacker may be able to cause a denial of service Description: A lock handling issue was addressed through improved lock handling. CVE-2016-4772: Marc Heuse of mh-sec **Kernel** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to determine kernel memory layout Description: Multiple out-of-bounds read issues existed that led to the disclosure of kernel memory. These were addressed through improved input validation. CVE-2016-4773: Brandon Azad CVE-2016-4774: Brandon Azad CVE-2016-4776: Brandon Azad **Kernel** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4775: Brandon Azad **Kernel** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: An untrusted pointer dereference was addressed by removing the affected code. CVE-2016-4777: Lufeng Li of Qihoo 360 Vulcan Team **Kernel** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4778: CESG **libarchive** Available for: OS X Lion v10.7.5 and later Impact: Multiple issues in libarchive Description: Multiple memory corruption issues existed in libarchive. These issues were addressed through improved input validation. CVE-2016-4736: Proteas of Qihoo 360 Nirvan Team **libxml2** Available for: OS X Lion v10.7.5 and later Impact: Multiple issues in libxml2, the most significant of which may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4658: Nick Wellnhofer CVE-2016-5131: Nick Wellnhofer **libxpc** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to break out of its sandbox Description: Multiple weaknesses existed with spawning new processes using launchctl. These issues were addressed through improved policy enforcement. CVE-2016-4617: Gregor Kopf of Recurity Labs on behalf of BSI (German Federal Office for Information Security) Entry added October 24, 2016 **libxslt** Available for: OS X Lion v10.7.5 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4738: Nick Wellnhofer **Mail** Available for: OS X Lion v10.7.5 and later Impact: A malicious website may be able to cause a denial-of-service Description: A denial of service issue was addressed through improved URL handling. CVE-2016-7580: Sabri Haddouche (@pwnsdx) Entry added December 1, 2016 **mDNSResponder** Available for: OS X Lion v10.7.5 and later Impact: A remote attacker may be able to view sensitive information Description: Applications using VMnet.framework enabled a DNS proxy listening on all network interfaces. This issue was addressed by restricting DNS query responses to local interfaces. CVE-2016-4739: Magnus Skjegstad, David Scott and Anil Madhavapeddy from Docker, Inc. **NSSecureTextField** Available for: OS X Lion v10.7.5 and later Impact: A malicious application may be able to leak a user's credentials Description: A state management issue existed in NSSecureTextField, which failed to enable Secure Input. This issue was addressed through improved window management. CVE-2016-4742: Rick Fillion of AgileBits, Daniel Jalkut of Red Sweater Software **Perl** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to bypass the taint protection mechanism Description: An issue existed in the parsing of environment variables. This issue was addressed through improved validation of environment variables. CVE-2016-4748: Stephane Chazelas **S2 Camera** Available for: OS X Lion v10.7.5 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4750: Jack Tang (@jacktang310) and Moony Li of Trend Micro working with Trend Micro’s Zero Day Initiative **Security** Available for: OS X Lion v10.7.5 and later Impact: An application using SecKeyDeriveFromPassword may leak memory Description: A resource management issue existed in the handling of key derivation. This issue was addressed by adding CF_RETURNS_RETAINED to SecKeyDeriveFromPassword. CVE-2016-4752: Mark Rogers of PowerMapper Software **Security** Available for: OS X Lion v10.7.5 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in signed disk images. This issue was addressed through improved size validation. CVE-2016-4753: Mark Mentovai of Google Inc. **Terminal** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to leak sensitive user information Description: A permissions issue existed in .bash_history and .bash_session. This issue was addressed through improved access restrictions. CVE-2016-4755: Axel Luttgens **WindowServer** Available for: OS X Lion v10.7.5 and later Impact: A local user may be able to gain root privileges Description: A type confusion issue was addressed through improved memory handling. CVE-2016-4709: an anonymous researcher working with Trend Micro's Zero Day Initiative CVE-2016-4710: an anonymous researcher working with Trend Micro's Zero Day Initiative Entry updated November 15, 2016 macOS Sierra 10.12 includes the security content of [Safari 10](<https://support.apple.com/kb/HT207157>).


Affected Software


CPE Name Name Version
os x lion v 10.7.5
macos sierra 10.12

Related