Happy Holidays – New Updates for MAC OS

macos-10-12-2-610x276

It is the holiday season and with that comes presents for the MAC OS in the form of updates for a number of issues, including several denial of service.

Released on December 13th, Apple has new security updates for macOS Sierra 10.12.2, El Capitan 2016-003 and Yosemite 2016-007.

The winner for most CVE updates for this release is macOS Sierra 10.12.2 with 71 CVEs to address a wide variety of vulnerabilities. These vulnerabilities include 8 denial of service issues

  • CVE-2016-7609 : AppleGraphicsPowerManagement  – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7605 : Bluetooth – Improved input validation has been added to address the possible impact of an application being able to cause a system denial of service.
  • CVE-2016-7604 : CoreCapture – Improved state management has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7603 : CoreStorage – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7667 : CoreText – Improved validation of overlapping ranges has been added to address the possible processing of a maliciously crafted string being able to cause a denial of service.
  • CVE-2016-7615 : Kernel  – Improved memory handling has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-6304 : LibreSSL and OpenSSL – Improved memory handling in unbounded OCSP growth has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.
  • CVE-2016-7636 : Security – Verification of OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.

This security update addresses memory corruption and shared memory issues, use after free issues, validation and system privilege issues on top of the denial of service critical vulnerabilities.

New security content is also available for Safari 10.0.2 which is made up of 25 CVEs to address vulnerabilities focusing on arbitrary code execution in both Safari Reader and WebKit. Given the number of user targeted vulnerabilities, it would be a good idea to look at installing this security update sooner rather than later.

With the pending end to 2016, now is the perfect time to start a new habit of patching your MAC regularly and having a more secure 2017.