Apple macOS Sierra Fixes 68 Vulnerabilities

Apple is patching 68 security issues in its desktop operating system as part of the release of its new macOS Sierra (10.12) milestone.

Apple’s previous security update for its desktop operating system debuted Sept. 2 with OS X 10.11.6 fixing three zero-day flaws that were first patched in iOS. Starting with version 10.12, Apple has rebranded its desktop operating system from OS X to simply macOS.

With macOS Sierra, the desktop update comes after Apple’s mobile release, with iOS 10 debuting Sept. 13. Once again, some security patches first made available on iOS are now coming to macOS. Among the issues first patched in iOS and now landing in macOS is CVE-2016-4708 in the CFNetwork component, which provides core networking technologies to both iOS and macOS.

macOS Sierra security

There are also multiple cryptographic flaws that were first fixed in iOS 10 that are now coming to macOS Sierra. CVE-2016-4711 is a flaw in the CommonCrypto library that could have enabled information disclosures. The CVE-2016-4712 vulnerability in Apple’s CoreCrypto library potentially could have enabled an application to execute arbitrary code.

Apple’s kernel that is used in both iOS 10 and macOS Sierra also is being patched for eight vulnerabilities; CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4775, CVE-2016-4776, CVE-2016-4777 and CVE-2016-4778 potentially could have enabled arbitrary code execution with full kernel privileges.

While some attack vectors require hackers to use elaborate methods to exploit systems, macOS Sierra provides updates to help protect against a number of attacks that might not have been difficult to execute. Among those issues is a vulnerability (CVE-2016-4779) in Apple Type Service (ATS) reported by Chinese firm Tencent.

“Processing a maliciously crafted font file may lead to arbitrary code execution,” Apple warns in its advisory.

macOS Sierra

Image 1 of 5

Apple macOS Sierra (1)

A team of researchers from Yonsei University in South Korea reported an interesting audio flaw (CVE-2016-4702) to Apple. The vulnerability potentially could have enabled a remote attacker to execute arbitrary code, due to a memory corruption issue with the audio library component.

Although Apple benefits from reports provided by multiple groups of security researchers, for the macOS Sierra update, Trend Micro’s Zero-Day Initiative (ZDI) is well-represented. ZDI contributors reported five different flaws (CVE-2016-4727, CVE-2016-4750, CVE-2016-4697, CVE-2016-4699 and CVE-2016-4700). The ZDI pays security researchers to disclose vulnerabilities, which ZDI then responsibly discloses to the affected vendor.

Docker discovery

Another interesting vulnerability report for macOS Sierra came to Apple from Docker Inc., whose popular open-source application container engine and orchestration system now has a native client available on macOS.

Magnus Skjegstad, David Scott and Anil Madhavapeddy from Docker Inc. discovered the CVE-2016-4739 vulnerability in the mDNSResponder component of macOS. The mDNSResponder is Apple’s service for enabling networking, including the Bonjour protocol. The CVE-2016-4739 vulnerability could have enabled a remote attacker to view sensitive information.

In addition to the macOS Sierra updates, Apple also released Safari 10, providing 21 patches for vulnerabilities in Apple’s web browser. Nineteen of the 21 issues are in the WebKit rendering engine and involved memory corruption issues that could have led to arbitrary code execution and information disclosure.

Quiz: What do you know about Apple?

Originally published on eWeek

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

3 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

3 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

3 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

3 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

3 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

3 days ago