Apple released a massive update for macOS Sierra on Tuesday to address 72 vulnerabilities in the operating system. The update, which was flanked by updates for iCloud, iTunes, and Safari, comes a day after it fixed a dozen issues in iOS.
Eleven of the vulnerabilities can lead to arbitrary code execution, assuming the attacker could get a victim to open a malicious crafted file. Eight of the bugs could lead to a denial of service condition. Information around one of the nastier bugs, dug up by Ian Beer of Google’s project Zero, in macOS’ kernel, is scant. But according to Apple’s advisory, if exploited, it could have led to code execution in the kernel, or system termination. Beer found nine of the bugs fixed by Apple on Tuesday, four of them in the kernel.
The update includes fixes for Apple frameworks such as CoreGraphics and IO, volume management systems like CoreStorage. It also updates versions of PHP (5.6.26) and the file transfer library, cURL, (7.51.0).
An audit (.PDF) carried out by the German penetration firm Cure53, sponsored by Mozilla’s Secure Open Source program, late last month identified a dozen vulnerabilities in the cURL libary. Apple fixed those bugs and warned that an attacker in a privileged network position could have exploited them to leak sensitive user information.
Other vulnerabilities that could have allowed an attacker to modify downloaded mobile assets, or in one instance, gain root privileges, were also fixed with the macOS update.
Included in the macOS update is the latest version of Safari, 10.0.2. The update fixes 24 issues in the browser, most which affect WebKit, Safari’s web browser engine. Those bugs could have led to code execution, the disclosure of process memory, the disclosure of user information, and the unexpected termination of the browser, Apple warns. A bug in Safari Reader, which lets users read articles in one page, could have additionally lead to universal cross-site scripting.
Most of the fixes from Safari – save for the Safari Reader issue – also found their way into an update for iTunes (12.5.4) Apple pushed to Windows users yesterday. The iTunes Store has used WebKit as its rendering engine since 2009 when Apple released iTunes 9, meaning it was affected by the same vulnerabilities.
The same WebKit issues were also incorporated into an iCloud for Windows update (6.1) Apple released Tuesday as well. One Windows-specific issue, a problem with the iCloud desktop, was fixed with the update. The client failed to clear sensitive information in memory, something that could have permitted a local user to leak sensitive information.
It’s the second time Apple has patched the operating system since it was released in September; it fixed a handful of bugs, including six that could have led to code execution, in October.