Apple July 2016 Mac OS X Updates
As was the case in May, Happy Apple Patch Monday!
Apple’s July 2016 Mac OS X Updates apply to Mac OS X, including versions El Capitan 10.11.6; Security Update 2016-004 for Mavericks 10.9.5 and Yosemite 10.10.5; and Safari, with a new version 9.1.2. In total, there were 72 vulnerabilities fixed with many that create high-risk to enterprises.
OS X 10.11.6 and Security Update 2016-004
Apple is clearly in maintenance mode for released versions of OS X as they prepare to get macOS Sierra ready for release in a few months. There are no apparent significant new features in OS X 10.11.6, some bug fixes, and fixes for 60 vulnerabilities. These vulnerabilities also apply to older versions in the form of Security Update 2016-004.
As is the case in other security updates, Apple is selective about which vulnerabilities are fixed for the older, supported versions. I highly doubt that many of these vulnerabilities only apply to 10.11. In terms of a breakdown of the vulnerabilities fixed by OS X version, we get:
|OS X Version
|10.11 and later
Interesting vulnerabilities fixed in this release includes seven that apply to QuickTime where processing an image file can lead to arbitrary code execution. These types are golden for hackers since they can be emailed via SPAM or phishing and lure a target to compromise. With all of the terrible headlines in the news lately, it is easy to imagine how a hacker might send a message using news of the day with an image attached which someone would be enticed to open.
There were also a number of other arbitrary code execution vulnerabilities that address the PHP, Graphics, Image, and SSL components. There is one vulnerability, CVE-2016-2108, in the OpenSSL component that is particularly nasty with a CVSS 3.0 score of 9.8 out of 10. With all the attacks on SSL (Heartbleed) in recent times, this alone is a strong reason to upgrade all Macs with this update.
Safari 9.1.2 applies to OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6 and fixes 12 vulnerabilities. Of the dozen vulnerabilities, six have the impact where, to quote Apple, “Visiting a maliciously crafted website may lead to arbitrary code execution.”
Needless to say, arbitrary code execution is bad news and by simply visiting a maliciously crafted website to do so is really bad news. A real world example is phishing an end user to get them to click on a link and visit a bad website which then causes ransomware to be downloaded and run. The first instance of ransomware in the wild was discovered in March and delivered by an infected BitTorrent client, but it’s only a matter of time before web-based targeting occurs using vulnerabilities like those fixed in Safari 9.1.2.
As is typically the case, Apple also released updates for other key software including iOS 9.3.3, watchOS 2.2.2, tvOS 9.2.1 (I'm wondering if this is version error as May also had a tvOS 9.2.1), and iTunes 12.4.2 for Windows. An interesting note is that on iTunes 12.4.2, all of the vulnerabilities fixed also applied to the OS X updates and came in the form of various xml libraries. There is not a lot of detail in the bulletin to determine the impact of these iTunes fixes, but there are some nasty vulnerabilities, including CVE-2016-1836, which allows arbitrary code execution via a bad XML file (check out my cool playlist and get hacked for example).
Like the May 2016 updates, this month’s release doesn’t have anything by way of features to encourage users to upgrade, but there are plenty of high-security risks that should encourage all enterprises to update as soon as possible.