The specific version of Mac OS X that the system is running is reportedly affected by the following vulnerabilities:
Apple Mac OS X contains an unspecified NULL pointer dereference flaw in Audio, which may allow a local attacker to cause a denial of service for the system. (CVE-2016-4649)
Apple Mac OS X contains a use-after-free flaw in DspFuncLib that is triggered as user-supplied input is not properly validated when handling function IDs. This may allow a local attacker to dereference already freed memory and potentially execute arbitrary code in the context of the kernel. (CVE-2016-4647)
Apple Mac OS X contains a use-after-free error in the DspFuncLib extension. The issue is triggered when handling error conditions. With a specially crafted file, a local attacker can dereference already freed memory and potentially execute arbitrary code with root privileges. (CVE-2016-4648)
Apple Mac OS X contains an out-of-bounds read flaw in ACMP4AACBaseDecoder that is triggered during the handling of a specially crafted MOV file. This may allow a context-dependent attacker to disclose user information. (CVE-2016-4646)
Apple Mac OS X contains an integer overflow in bspatch related to bsdiff that is triggered as bounds are not properly checked. This may allow a local attacker to potentially gain elevated privileges. (CVE-2014-9862)
Apple Mac OS X contains a permission flaw in CFNetwork that is triggered during the handling of web browser cookies. This may allow a local attacker to view sensitive user information. (CVE-2016-4645)
Apple Mac OS X contains an out-of-bounds read flaw in CoreGraphics that is triggered as input is not properly validated. This may allow a local attacker to disclose kernel memory. (CVE-2016-4652)
Multiple Apple products contain a flaw in CoreGraphics. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4637)
Multiple Apple products contain a flaw in FaceTime that is triggered as user interface inconsistencies occur when handling relayed calls. This may allow a man-in-the-middle attacker to cause a relayed call to continue to transmit audio while the call appears to be terminated. (CVE-2016-4635)
Apple Mac OS X contains a flaw in Graphics drivers. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4634)
Apple Mac OS X contains a flaw in ImageIO. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4629)
Apple Mac OS X contains a flaw in ImageIO. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4630)
Multiple Apple products contain an unspecified flaw in ImageIO that is triggered as memory is not properly handled. This may allow a remote attacker to cause a consumption of available memory resources. (CVE-2016-4632)
Multiple Apple products contain multiple flaws in ImageIO. The issues are triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4631)
Apple Mac OS X contains multiple flaws in the Intel Graphics driver. The issues are triggered as user-supplied input is not properly validated when handling memory. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4633)
Multiple Apple products contain an unspecified NULL pointer dereference flaw in IOHIDFamily that is triggered as input is not properly validated. This may allow a local attacker to gain elevated, kernel privileges. (CVE-2016-4626)
Apple Mac OS X contains a use-after-free error in IOSurface that is triggered as memory is not properly managed, which may allow a local attacker to dereference already freed memory and gain elevated, kernel privileges. (CVE-2016-4625)
Multiple Apple products contain a flaw in Sandbox Profiles that is triggered as restrictions are not properly enforced on privileged API calls. This may allow a local attacker to access the process list. (CVE-2016-4594)
Multiple Apple products contain a flaw in the Kernel that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1863)
Multiple Apple products contain a flaw in the Kernel that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-4582)
Multiple Apple products contain an unspecified NULL pointer dereference flaw in Kernel that is triggered as input is not properly validated. This may allow a local attacker to cause a denial of service for the system. (CVE-2016-1865)
Apple Mac OS X contains multiple flaws in libc++abi. The issues are triggered as user-supplied input is not properly validated when handling memory. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with root privileges. (CVE-2016-4621)
Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4614)
Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4615)
Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4616)
Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4619)
Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4607)
Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4608)
Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4609)
Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4610)
Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4612)
Apple Mac OS X contains an unspecified type confusion flaw in the Login Window, which may allow a local attacker to gain elevated, root privileges. (CVE-2016-4638)
Apple Mac OS X contains an overflow condition that is triggered as user-supplied input is not properly validated when interacting with _XRegisterCursorWithData. This may allow a local attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4640)
Apple Mac OS X contains a type confusion flaw that is triggered by certain _XSetDictionaryForCurrentSession interactions, which may allow a local attacker to gain elevated privileges. (CVE-2016-4641)
Apple Mac OS X contains an unspecified memory initialization flaw in the Login Window, which may allow a local attacker to cause a denial of service. (CVE-2016-4639)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted SGI file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4601)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted Photoshop Document (PSD). This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4599)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4596)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4597)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4600)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4602)
Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted image file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4598)
Apple Mac OS X contains a flaw in the Safari Login AutoFill feature that can cause the user’s password to be displayed unobfuscated on the screen. This may allow a physically present attacker to potentially gain knowledge of a user’s password. (CVE-2016-4595)
Multiple Apple products contain a flaw in IOPMrootDomain in the kernel that is triggered as certain input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute code with elevated privileges. (CVE-2016-4653)
Multiple Apple Products contain a flaw in CFNetwork Proxies that is due to the transfer of password information in cleartext. This may allow a man-in-the-middle attacker to gain access to password information. (CVE-2016-4642)
Multiple Apple Products contain a flaw in CFNetowrk Proxies that is triggered when parsing 407 responses. This may allow a man-in-the-middle attacker to disclose sensitive user information. (CVE-2016-4643)
Multiple Apple products contain a downgrade flaw in CFNetwork Proxies that is triggered when saving HTTP authentication credentials in the Keychain. This may allow a man-in-the-middle attacker to disclose sensitive user information. (CVE-2016-4644)
Binary data 802026.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1863
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1865
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4582
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4594
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4595
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4596
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4597
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4598
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4600
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4601
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4602
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4607
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4608
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4609
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4610
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4612
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4614
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4615
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4616
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4619
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4621
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4625
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4626
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4629
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4630
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4631
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4632
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4633
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4634
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4635
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4637
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4638
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4639
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4640
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4641
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4642
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4643
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4644
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4645
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4646
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4652
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4653
falseconnect.com/
jvn.jp/vu/JVNVU90754453/index.html
jvn.jp/vu/JVNVU94844193/index.html
metro.co.uk/2016/07/23/dont-panic-but-your-iphone-could-get-hacked-any-day-now-6024897/
seclists.org/bugtraq/2016/Jul/122
seclists.org/bugtraq/2016/Jul/75
seclists.org/bugtraq/2016/Jul/76
seclists.org/bugtraq/2016/Jul/77
seclists.org/bugtraq/2016/Jul/78
seclists.org/bugtraq/2016/Jul/79
seclists.org/bugtraq/2016/Jul/80
www.apple.com/
www.eweek.com/security/apple-announces-os-x-and-ios-security-updates.html
www.infosecurity-magazine.com/news/stagefright-returns-users-urged-to/
www.talosintelligence.com/reports/TALOS-2016-0171/
www.talosintelligence.com/reports/TALOS-2016-0180/
www.talosintelligence.com/reports/TALOS-2016-0181/
www.talosintelligence.com/reports/TALOS-2016-0186/
www.techworm.net/2016/08/falseconnect-vulnerability-affects-internet-users.html
www.theregister.co.uk/2016/07/19/apple_patches_july2016/
www.theregister.co.uk/2016/07/21/wavering_about_apples_latest_security_fix_dont_says_talos/
www.theregister.co.uk/2016/08/17/falseconnect_sends_vendors_scrambling_to_patch_proxy_mitm_bug/
www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-file/
www.zerodayinitiative.com/advisories/ZDI-16-431/
www.zerodayinitiative.com/advisories/ZDI-16-432/
www.zerodayinitiative.com/advisories/ZDI-16-433/
www.zerodayinitiative.com/advisories/ZDI-16-434/
www.zerodayinitiative.com/advisories/ZDI-16-435/
www.zerodayinitiative.com/advisories/ZDI-16-436/
www.zerodayinitiative.com/advisories/ZDI-16-437/
www.zerodayinitiative.com/advisories/ZDI-16-438/
www.zerodayinitiative.com/advisories/ZDI-16-439/
www.zerodayinitiative.com/advisories/ZDI-16-496/
support.apple.com/en-us/HT206899
support.apple.com/en-us/HT206901
support.apple.com/en-us/HT206902
support.apple.com/en-us/HT206903
support.apple.com/en-us/HT206904
support.apple.com/en-us/HT206905
www.freebsd.org/security/advisories/FreeBSD-SA-16%3A25.bspatch.asc