Apple macOS Sierra Fixes 68 Vulnerabilities

Apple is patching 68 security issues in its desktop operating system as part of the release of its new macOS Sierra (10.12) milestone.

Apple’s previous security update for its desktop operating system debuted Sept. 2 with OS X 10.11.6 fixing three zero-day flaws that were first patched in iOS. Starting with version 10.12, Apple has rebranded its desktop operating system from OS X to simply macOS.

With macOS Sierra, the desktop update comes after Apple’s mobile release, with iOS 10 debuting Sept. 13. Once again, some security patches first made available on iOS are now coming to macOS. Among the issues first patched in iOS and now landing in macOS is CVE-2016-4708 in the CFNetwork component, which provides core networking technologies to both iOS and macOS.

macOS Sierra security

There are also multiple cryptographic flaws that were first fixed in iOS 10 that are now coming to macOS Sierra. CVE-2016-4711 is a flaw in the CommonCrypto library that could have enabled information disclosures. The CVE-2016-4712 vulnerability in Apple’s CoreCrypto library potentially could have enabled an application to execute arbitrary code.

Apple’s kernel that is used in both iOS 10 and macOS Sierra also is being patched for eight vulnerabilities; CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4775, CVE-2016-4776, CVE-2016-4777 and CVE-2016-4778 potentially could have enabled arbitrary code execution with full kernel privileges.

While some attack vectors require hackers to use elaborate methods to exploit systems, macOS Sierra provides updates to help protect against a number of attacks that might not have been difficult to execute. Among those issues is a vulnerability (CVE-2016-4779) in Apple Type Service (ATS) reported by Chinese firm Tencent.

“Processing a maliciously crafted font file may lead to arbitrary code execution,” Apple warns in its advisory.

macOS Sierra

Image 1 of 5

Apple macOS Sierra (1)

A team of researchers from Yonsei University in South Korea reported an interesting audio flaw (CVE-2016-4702) to Apple. The vulnerability potentially could have enabled a remote attacker to execute arbitrary code, due to a memory corruption issue with the audio library component.

Although Apple benefits from reports provided by multiple groups of security researchers, for the macOS Sierra update, Trend Micro’s Zero-Day Initiative (ZDI) is well-represented. ZDI contributors reported five different flaws (CVE-2016-4727, CVE-2016-4750, CVE-2016-4697, CVE-2016-4699 and CVE-2016-4700). The ZDI pays security researchers to disclose vulnerabilities, which ZDI then responsibly discloses to the affected vendor.

Docker discovery

Another interesting vulnerability report for macOS Sierra came to Apple from Docker Inc., whose popular open-source application container engine and orchestration system now has a native client available on macOS.

Magnus Skjegstad, David Scott and Anil Madhavapeddy from Docker Inc. discovered the CVE-2016-4739 vulnerability in the mDNSResponder component of macOS. The mDNSResponder is Apple’s service for enabling networking, including the Bonjour protocol. The CVE-2016-4739 vulnerability could have enabled a remote attacker to view sensitive information.

In addition to the macOS Sierra updates, Apple also released Safari 10, providing 21 patches for vulnerabilities in Apple’s web browser. Nineteen of the 21 issues are in the WebKit rendering engine and involved memory corruption issues that could have led to arbitrary code execution and information disclosure.

Quiz: What do you know about Apple?

Originally published on eWeek

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago