macOS 10.12 Patches Over 60 Vulnerabilities

Apple on Tuesday released the final version of macOS Sierra 10.12 as a free update and announced that no less than 65 security vulnerabilities were addressed in this operating system version.

Plagued by 16 flaws, the “apache_mod_php” module responsible for interpreting PHP code was the most affected component in the platform. The most significant of these issues could lead to unexpected application termination or arbitrary code execution. Apple resolved these vulnerabilities by updating PHP to version 5.6.24.

Other affected components include Apple’s implementation of Apache, AppleEFIRuntime, Application Firewall, Audio, Bluetooth, CFNetwork, CommonCrypto, CoreCrypto, curl, FontParser, Intel Graphics Driver, IOAcceleratorFamily, Kernel, libarchive, libxml2, Terminal, and WindowServer. Most of these issues were reported by external researchers, but some were found by Apple themselves.

Arbitrary code execution was the vulnerability with the largest number of occurrences in Apple’s security advisory. Some of these security bugs could result in the execution of code with kernel or system privileges. Vulnerabilities that could result in denial of service or leaked user information were also addressed in this release.

In addition to macOS Sierra 10.12, which resolves vulnerabilities in OS X El Capitan v10.11.6, Apple also released macOS Server 5.2 and Safari 10, to address additional security bugs, along with iCloud for Windows 6.0, which is available for Windows 7 and later with a patch for a WebKit flaw (CVE-2016-4762) that could lead to arbitrary code execution when processing maliciously crafted web content.

macOS Server 5.2 is available for macOS Sierra 10.12 with patches for two issues, one in apache and another in the ServerDocs Server component. By exploiting the ServerDocs Server vulnerability (CVE-2016-4754), an attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm. To resolve the bug, Apple removed RC4 as a supported cipher.

Last month, Microsoft disabled RC4 in Edge and Internet Explorer 11 to improve user security, and Mozilla did the same in Firefox 44, which was released in January this year. Google too deprecated the cipher in Chrome, a move determined by researchers’ discovery of new attacks against RC4, some increasingly practical and feasible. 

Safari 10 was released with patches for 21 vulnerabilities in three components, namely Safari Reader, Safari Tabs, and WebKit. The new browser release is available for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12, Apple reveals.

Safari Reader and Safari Tabs were affected by one vulnerability each, namely a universal cross site scripting (CVE-2016-4618) and an address bar spoofing flaw (CVE-2016-4751) respectively. WebKit was plagued by 19 bugs, including 15 memory corruption issues and a parsing issue in the handling of error prototypes, all of which could result in arbitrary code execution.

Other vulnerabilities addressed in Safari 10 could result in leaked sensitive data (CVE-2016-4758) or in malicious websites accessing non-HTTP services (CVE-2016-4760). A certificate validation issue in the handling of WKWebView (CVE-2016-4763) could allow an attacker in a privileged network position to intercept and alter network traffic to applications using WKWebView with HTTPS.

Related: Apple Patches Spyware-Related Zero-Days in OS X, Safari

Related: Apple Issues Emergency Fix for iOS Zero-Days: What You Need to Know