Happy Apple Patch Monday! Today’s, Apple May 2016 Mac OS X Updates impact Mac OS X including El Capitan 10.11.5, Security Update 2016-003 for Mavericks 10.9.5 and Yosemite 10.10.5, and Safari 9.1.1. In total, there were 77 vulnerabilities fixed including many high risk vulnerabilities that should be remediated quickly
OS X 10.11.5 and Security Update 2016-003
The last Mac OS X Security Update was on March 21 and today’s release of OS X 10.11.5 and Security Update 2016-003 brings fixes to 67 vulnerabilities across OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11. As with previous security updates the majority of vulnerabilities are only fixed in El Capitan. Here is the breakdown of vulnerabilities fixed by OS X version:
- 12 in Mavericks 10.9.5
- 13 in Yosemite 10.10.5
- All 70 fixed in El Capitan 10.11
With Apple’s latest version focus, it is very interesting to explore the vulnerabilities that were fixed in the older versions. Included in that mix are vulnerabilities where:
- Application that can determine the kernel memory layout
- Attacker in a privileged network may execute arbitrary code with user assistance
- Malicious XML, website, or web content may lead to arbitrary code execution
The last category is most interesting as malicious websites or files are useful for hackers to social engineer their way onto a system.
From the vulnerabilities only fixed in El Capitan, there is of note for the exploitability and impact. The first is a vulnerability in QuickTime (CVE-2016-1848) where opening a maliciously crafted file may lead to arbitrary code execution. This is interesting in that social engineering could be employed to get a user to click on video file such as using a headline of the day that would be enticing to watch such as “Funny Quotes from Donald Trump” and bad things ensue (quite literally in the case of a malicious video).
There are many other vulnerabilities, but the true severity and impact is obscured by Apple’s limited information. That said, there is plenty of reasons to update quickly.
Safari 9.1.1 applies to Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11.5. This is a minor update with 7 vulnerabilities fixed including 5 where arbitrary code could be executed by visiting a malicious website. Such vulnerabilities are hooks for Phishers to use to bait users to visit malicious websites and compromise their systems. One other vulnerability is a minor risk in that it prevents fully deleting browsing history. The final vulnerability (CVE-2016-1858) is moderate risk where visiting a malicious website may disclose data from another website. If you have any doubt, make sure Safari is up to date quickly as the 5 arbitrary code vulnerabilities will undoubtedly be useful for targeting users.
Apple usually releases updates for everything at once and this release is no different. There were also updates for iOS (9.3.2), watchOS (2.2.1), tvOS(9.2.1), and iTunes (12.4).
This month’s updates do little to entice users to want to update their systems in terms of new features. That said, Apple will push them down unless a user explicitly avoids it. There is enough critical vulnerabilities in these updates that all organizations should ensure all Mac OS X systems are up to date quickly.