Connect with us

Hi, what are you looking for?



macOS 10.12 Patches Over 60 Vulnerabilities

Apple on Tuesday released the final version of macOS Sierra 10.12 as a free update and announced that no less than 65 security vulnerabilities were addressed in this operating system version.

Apple on Tuesday released the final version of macOS Sierra 10.12 as a free update and announced that no less than 65 security vulnerabilities were addressed in this operating system version.

Plagued by 16 flaws, the “apache_mod_php” module responsible for interpreting PHP code was the most affected component in the platform. The most significant of these issues could lead to unexpected application termination or arbitrary code execution. Apple resolved these vulnerabilities by updating PHP to version 5.6.24.

Other affected components include Apple’s implementation of Apache, AppleEFIRuntime, Application Firewall, Audio, Bluetooth, CFNetwork, CommonCrypto, CoreCrypto, curl, FontParser, Intel Graphics Driver, IOAcceleratorFamily, Kernel, libarchive, libxml2, Terminal, and WindowServer. Most of these issues were reported by external researchers, but some were found by Apple themselves.

Arbitrary code execution was the vulnerability with the largest number of occurrences in Apple’s security advisory. Some of these security bugs could result in the execution of code with kernel or system privileges. Vulnerabilities that could result in denial of service or leaked user information were also addressed in this release.

In addition to macOS Sierra 10.12, which resolves vulnerabilities in OS X El Capitan v10.11.6, Apple also released macOS Server 5.2 and Safari 10, to address additional security bugs, along with iCloud for Windows 6.0, which is available for Windows 7 and later with a patch for a WebKit flaw (CVE-2016-4762) that could lead to arbitrary code execution when processing maliciously crafted web content.

macOS Server 5.2 is available for macOS Sierra 10.12 with patches for two issues, one in apache and another in the ServerDocs Server component. By exploiting the ServerDocs Server vulnerability (CVE-2016-4754), an attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm. To resolve the bug, Apple removed RC4 as a supported cipher.

Last month, Microsoft disabled RC4 in Edge and Internet Explorer 11 to improve user security, and Mozilla did the same in Firefox 44, which was released in January this year. Google too deprecated the cipher in Chrome, a move determined by researchers’ discovery of new attacks against RC4, some increasingly practical and feasible. 

Advertisement. Scroll to continue reading.

Safari 10 was released with patches for 21 vulnerabilities in three components, namely Safari Reader, Safari Tabs, and WebKit. The new browser release is available for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12, Apple reveals.

Safari Reader and Safari Tabs were affected by one vulnerability each, namely a universal cross site scripting (CVE-2016-4618) and an address bar spoofing flaw (CVE-2016-4751) respectively. WebKit was plagued by 19 bugs, including 15 memory corruption issues and a parsing issue in the handling of error prototypes, all of which could result in arbitrary code execution.

Other vulnerabilities addressed in Safari 10 could result in leaked sensitive data (CVE-2016-4758) or in malicious websites accessing non-HTTP services (CVE-2016-4760). A certificate validation issue in the handling of WKWebView (CVE-2016-4763) could allow an attacker in a privileged network position to intercept and alter network traffic to applications using WKWebView with HTTPS.

Related: Apple Patches Spyware-Related Zero-Days in OS X, Safari

Related: Apple Issues Emergency Fix for iOS Zero-Days: What You Need to Know

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.