With the release of macOS Sierra 10.12 Tuesday, Apple snuffed out dozens of lingering security vulnerabilities in OS X El Capitan and Yosemite. Along with updates to its OS, Apple addressed security bugs in its Safari web browser and macOS Server in separate security bulletins, also released Tuesday.
Sixty-eight security issues were tackled with the release of macOS Sierra 10.12. Bugs ranged from a critical audio vulnerability (CVE-2016-4702) that allowed a remote attacker to execute arbitrary code, to a kernel flaw (CVE-2016-4778) that allowed applications to execute arbitrary code giving an attacker kernel privileges.
More than 16 security patches addressed issues related to El Capitan’s implementation of Apache and its “apache_mod_php” module used for interpreting PHP code. The most significant of the “apache_mod_php” security issues could lead to unexpected application termination or arbitrary code execution, according to the Apple advisory.
Roughly 19 of the OS X patches address vulnerabilities that could ultimately lead to code execution. Five code-execution issues, Apple said, could trigger a denial of service and 12 related security issues were fixed that permitted an application to execute arbitrary code, also with kernel privileges.
One Bluetooth vulnerability (CVE-2016-4703) allowed an attacker to use an application to execute arbitrary code with kernel privileges. The flaw was tied to a memory corruption issue that Apple says was addressed through improved input validation.
Also on Tuesday, Apple separately shipped Safari 10 as an upgrade for those running Yosemite or El Capitan. The release addressed 21 security issues lingering in previous versions of Safari.
A swath of memory corruption bugs tied to Safari WebKit were patched, and each allowed an attacker to use maliciously crafted web content to trigger arbitrary code execution. Five other WebKit vulnerabilities were patched and tied to certificate validation and parsing issues.
Also fixed with the release of Safari 10 is a Safari Tabs vulnerability (CVE-2016-4751) that could allow an attacker to spoof the browser’s address bar just by a user visiting a malicious website. Another bug was fixed in Safari Reader (CVE-2016-4618) that allowed a maliciously crafted webpage to lead to a universal cross site scripting vulnerability.
Apple’s macOS Server also received security updates with the release of Server 5.2. The update included only two fixes. One (CVE-2016-4694) that allowed a remote attacker to proxy traffic through an arbitrary server. The second (CVE-2016-4754) made it easy for an attacker to exploit weaknesses in the RC4 cryptographic algorithm.