macOS Sierra isn’t just a pretty face. Apple has patched quite a few security flaws, including one that affects Docker
Apple is patching 68 security issues in its desktop operating system as part of the release of its new macOS Sierra (10.12) milestone.
Apple’s previous security update for its desktop operating system debuted Sept. 2 with OS X 10.11.6 fixing three zero-day flaws that were first patched in iOS. Starting with version 10.12, Apple has rebranded its desktop operating system from OS X to simply macOS.
With macOS Sierra, the desktop update comes after Apple’s mobile release, with iOS 10 debuting Sept. 13. Once again, some security patches first made available on iOS are now coming to macOS. Among the issues first patched in iOS and now landing in macOS is CVE-2016-4708 in the CFNetwork component, which provides core networking technologies to both iOS and macOS.
macOS Sierra security
There are also multiple cryptographic flaws that were first fixed in iOS 10 that are now coming to macOS Sierra. CVE-2016-4711 is a flaw in the CommonCrypto library that could have enabled information disclosures. The CVE-2016-4712 vulnerability in Apple’s CoreCrypto library potentially could have enabled an application to execute arbitrary code.
Apple’s kernel that is used in both iOS 10 and macOS Sierra also is being patched for eight vulnerabilities; CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4775, CVE-2016-4776, CVE-2016-4777 and CVE-2016-4778 potentially could have enabled arbitrary code execution with full kernel privileges.
While some attack vectors require hackers to use elaborate methods to exploit systems, macOS Sierra provides updates to help protect against a number of attacks that might not have been difficult to execute. Among those issues is a vulnerability (CVE-2016-4779) in Apple Type Service (ATS) reported by Chinese firm Tencent.
“Processing a maliciously crafted font file may lead to arbitrary code execution,” Apple warns in its advisory.
A team of researchers from Yonsei University in South Korea reported an interesting audio flaw (CVE-2016-4702) to Apple. The vulnerability potentially could have enabled a remote attacker to execute arbitrary code, due to a memory corruption issue with the audio library component.
Although Apple benefits from reports provided by multiple groups of security researchers, for the macOS Sierra update, Trend Micro’s Zero-Day Initiative (ZDI) is well-represented. ZDI contributors reported five different flaws (CVE-2016-4727, CVE-2016-4750, CVE-2016-4697, CVE-2016-4699 and CVE-2016-4700). The ZDI pays security researchers to disclose vulnerabilities, which ZDI then responsibly discloses to the affected vendor.
Another interesting vulnerability report for macOS Sierra came to Apple from Docker Inc., whose popular open-source application container engine and orchestration system now has a native client available on macOS.
Magnus Skjegstad, David Scott and Anil Madhavapeddy from Docker Inc. discovered the CVE-2016-4739 vulnerability in the mDNSResponder component of macOS. The mDNSResponder is Apple’s service for enabling networking, including the Bonjour protocol. The CVE-2016-4739 vulnerability could have enabled a remote attacker to view sensitive information.
In addition to the macOS Sierra updates, Apple also released Safari 10, providing 21 patches for vulnerabilities in Apple’s web browser. Nineteen of the 21 issues are in the WebKit rendering engine and involved memory corruption issues that could have led to arbitrary code execution and information disclosure.
Originally published on eWeek