Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

macOS < 10.11.5 Multiple Vulnerabilities

High

Synopsis

The specific version of Mac OS X that the system is running is reportedly affected by multiple vulnerabilities.

Description

The specific version of Mac OS X that the system is running is reportedly affected by the following vulnerabilities:

- Apple Mac OS X contains a use-after-free error in the WindowServer process that is triggered when handling CFData objects in memory. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2016-1804)

- Apple Mac OS X contains an array indexing flaw in the blit3d_submit_commands() function within the IOAcceleratorFamily component. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1815)

- Multiple Apple products contains a flaw as HTTP and HTTPS requests are not properly handled. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to disclose transmitted data. (CVE-2016-1801)

- Multiple Apple products contain a flaw that is triggered when handling return values related to key lengths in CommonCrypto (CCCrypt). This may allow a local attacker to gain unauthorized access to sensitive user information. (CVE-2016-1802)

- Multiple Apple products contain a NULL pointer dereference flaw in CoreCapture that is triggered as input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1803)

- Multiple Apple products contain a flaw related to disk images that is triggered by a race condition related to locking. This may allow a local attacker to gain unauthorized access to kernel memory information. (CVE-2016-1807)

- Multiple Apple products contain a flaw that is triggered as user-supplied input is not properly validated when handling disk images. This may allow a local attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code. (CVE-2016-1808)

- Multiple Apple products contain a NULL pointer dereference flaw in ImageIO that is triggered when handling a specially crafted image. This may allow a context-dependent attacker to cause a denial of service. (CVE-2016-1811)

- Multiple Apple products contain an overflow condition in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow and potentially execute arbitrary code with kernel privileges. (CVE-2016-1817)

- Multiple Apple products contains a flaw in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1818)

- Multiple Apple products contain a use-after-free condition in the IOAcceleratorFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to dereference already freed memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1819)

- Multiple Apple products contain a NULL pointer dereference in IOAcceleratorFamily related to improper locking. This may allow a local attacker to cause a denial of service. (CVE-2016-1814)

- Multiple Apple products contain a NULL pointer dereference in the IOAccelSharedUserClient2::page_off_resource() function that is triggered as user-supplied input is not properly sanitized. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1813)

- Multiple Apple products contains an out-of-bounds access flaw in the IOHIDFamily component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1823)

- Multiple Apple products contains a flaw in the IOHIDFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1824)

- Multiple Apple products contain a flaw in the kernel. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1827, CVE-2016-1828, CVE-2016-1829, CVE-2016-1830, CVE-2016-1831)

- Multiple Apple products contains a flaw in libc. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1832)

- Libxml2 contains an overflow condition in the xmlStrncatNew() function of xmlstring.c . The issue is triggered as user-supplied input is not properly validated when handling a string with a NULL. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1834)

- Libxml2 contains a use-after-free error in the xmlParseStartTag2() function of parser.c. The issue is triggered when parsing complex names. With a specially crafted file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1835)

- Libxml2 contains a use-after-free error in the xmlParseNCNameComplex() function of parser.c. The issue is triggered when parsing complex names. With a specially crafted file, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1836)

- Libxml2 contains an overflow condition in the htmlParseSystemLiteral() and htmlParsePubidLiteral() functions of HTMLparser.c. The issue is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1837)

- Libxml2 contains an overflow condition in the xmlFAParseCharRange() function of xmlregexp.c. The issue is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1840)

- Multiple Apple products contains a flaw in libxslt. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted website. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1841)

- Multiple Apple products contain a flaw in MapKit that is triggered as shared links are transferred insecurely over HTTP. This may potentially allow a man-in-the-middle attacker to gain unauthorized access to sensitive information in these links. (CVE-2016-1842)

- Multiple Apple products contains a flaw in the OpenGL component. The issue is triggered as user-supplied input is not properly validated when handling specially crafted web content. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1847)

- Apple Mac OS X contains a flaw in the AMD component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1792)

- Apple Mac OS X contains a flaw in the AMD component. The issue is triggered as bounds are not properly checked. This may allow a local attacker to determine kernel memory layout. (CVE-2016-1791)

- Apple Mac OS X contains a NULL pointer dereference flaw in the AppleGraphicsControl component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1793)

- Apple Mac OS X contains a NULL pointer dereference flaw in the AppleGraphicsControlClient::checkArguments() function in AppleMuxControl.kext that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1794)

- Apple Mac OS X contains a flaw in the AppleGraphicsPowerManagement component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1795)

- Apple Mac OS X contains an out-of-bounds read flaw in the ATS component. This may allow a local attacker to potentially disclose kernel memory layout. (CVE-2016-1796)

- Apple Mac OS X contains a flaw in the ATS component that is triggered the sandbox policy is not properly implemented for FontValidator. This may allow a local attacker to potentially execute arbitrary code with system privileges. (CVE-2016-1797)

- Apple Mac OS X contains a NULL pointer dereference flaw in the Audio component that is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a denial of service. (CVE-2016-1798)

- Apple Mac OS X contains a flaw in the Audio component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute arbitrary code with kernel privileges. (CVE-2016-1799)

- Apple Mac OS X contains a flaw in the Captive Network Assistant component that is triggered as URL schemes are not properly validated. This may allow a user-assisted, man-in-the-middle attacker to potentially execute arbitrary code. (CVE-2016-1800)

- Apple Mac OS X contains an unspecified configuration flaw in the CoreStorage component. This may allow a local attacker to potentially execute arbitrary code with kernel privileges. (CVE-2016-1805)

- Apple Mac OS X contains a flaw in the Crash Reporter component (com.apple.SubmitDiagInfo) that is triggered when handling user-supplied paths when creating directories. This may allow a local attacker to execute arbitrary code with root privileges. (CVE-2016-1806)

- Apple Mac OS X contains a flaw in the Disk Utility component that is triggered as the incorrect keys were used to encrypt disk images. This may result in disk images not being properly compressed and encrypted. (CVE-2016-1809)

- Apple Mac OS X contains a NULL pointer dereference flaw in the ImageIO component that is triggered when handling a specially crafted image. This may allow a context-dependent attacker to cause a denial of service. (CVE-2016-1810)

- Apple Mac OS X contains an overflow condition in the Intel Graphics Driver component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code with kernel privileges. (CVE-2016-1812)

- Apple Mac OS X contains a NULL pointer dereference in IOAcceleratorFamily that is triggered as user-supplied input is not properly sanitized. This may allow a local attacker to execute arbitrary code with kernel privileges. (CVE-2016-1816)

- Apple Mac OS X contains an overflow condition in the IOAudioFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code with kernel privileges. (CVE-2016-1820)

- Apple Mac OS X contains a NULL pointer dereference in the IOAudioFamily component. This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1821)

- Apple Mac OS X contains a flaw in the IOFireWireFamily component. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1822)

- Apple Mac OS X contains multiple flaws in the IOHIDFamily component. These issues are triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1825)

- Apple Mac OS X contains an integer overflow condition in its dtrace implementation. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to execute arbitrary code with kernel privileges. (CVE-2016-1826)

- Apple Mac OS X contains a flaw in the Messages component that is triggered by a failure to properly validate roster changes. This may allow an authenticated remote attacker, or a malicious server, to manipulate another user's contact list. (CVE-2016-1844)

- Apple Mac OS X contains a flaw in the Messages component that is triggered by an encoding issue in filename parsing. This may allow a remote attacker to gain unauthorized access to potentially sensitive user information. (CVE-2016-1843)

- Apple Mac OS X contains a NULL pointer dereference flaw in the nvCommandQueue::GetHandleIndex() function in the NVIDIA Graphics Driver (GeForce.kext). This may allow a local attacker to cause a crash or potentially execute arbitrary code with kernel privileges. (CVE-2016-1846)

- Apple Mac OS X contains a flaw in the QuickTime component. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1848)

- Apple Mac OS X contains a flaw in the SceneKit component. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-1850)

- Apple Mac OS X contains a flaw in the management of password profiles. This may allow a physically present attacker to bypass the screen lock and reset an expired password. (CVE-2016-1851)

- Apple Mac OS X contains a flaw in the Tcl component related to the usage of SSLv2. This may potentially allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to disclose transmitted data. (CVE-2016-1853)

- Apple Mac OS X contains an overflow condition in the NVIDIA Graphics Driver (GeForce.kext). This may allow a local attacker to cause a stack-based buffer overflow and potentially execute arbitrary code with kernel privileges.Technical Information: This issue was split out from VulnDB ID 138609, as it was assigned a separate CVE ID. (CVE-2016-1861)

- No description supplied (CVE-2016-1833, CVE-2016-1839, CVE-2016-1815, CVE-2016-1804)

Solution

It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.

See Also

https://bugs.chromium.org/p/project-zero/issues/detail?id=724
https://support.apple.com/en-us/HT206567
http://seclists.org/bugtraq/2016/May/76
http://seclists.org/fulldisclosure/2016/May/45
https://support.apple.com/en-us/HT206567
http://blog.trendmicro.com/pwn2own-2016-begun/
http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Closing-out-the-first-day/ba-p/6842359
http://blog.trendmicro.com/pwn2own-day-1-recap/
http://community.hpe.com/t5/Security-Research/Zero-Day-Initiative-announces-Pwn2Own-2016/ba-p/6831571
http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-The-lineup-and-schedule/ba-p/6841867
http://seclists.org/bugtraq/2016/May/76
http://seclists.org/fulldisclosure/2016/May/45
https://twitter.com/thehpesr/status/710223359137550336
http://www.zerodayinitiative.com/advisories/ZDI-16-358/
https://www.youtube.com/watch?v=Sh8pveFv2DI
http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Day-two-crowning-the-Master-of-Pwn/ba-p/6842863
http://blog.trendmicro.com/pwn2own-day-2-event-wrap/
https://twitter.com/thehpesr/status/710518333511114752
https://twitter.com/thezdi/status/710518327479635968
http://www.zerodayinitiative.com/advisories/ZDI-16-345/
https://support.apple.com/en-us/HT206568
https://support.apple.com/en-us/HT206564
http://seclists.org/bugtraq/2016/May/74
http://seclists.org/fulldisclosure/2016/May/41
http://seclists.org/fulldisclosure/2016/May/43
http://jvn.jp/vu/JVNVU91632741/index.html
http://jvn.jp/vu/JVNVU90289707/index.html
https://support.apple.com/en-us/HT206566
http://seclists.org/bugtraq/2016/May/73
http://seclists.org/bugtraq/2016/May/75
http://seclists.org/fulldisclosure/2016/May/44
https://bugs.chromium.org/p/project-zero/issues/detail?id=777
https://www.google.com/about/appsecurity/research/
http://www.zerodayinitiative.com/advisories/ZDI-16-339/
https://bugs.chromium.org/p/project-zero/issues/detail?id=732
https://bugs.chromium.org/p/project-zero/issues/detail?id=730
http://www.zerodayinitiative.com/advisories/ZDI-16-340/
https://bugs.chromium.org/p/project-zero/issues/detail?id=772
https://bugs.chromium.org/p/project-zero/issues/detail?id=778
https://bugs.chromium.org/p/project-zero/issues/detail?id=774
http://www.scmagazine.com/gchq-infosec-group-disclosed-kernel-privilege-exploit-to-apple/article/498288/
http://xmlsoft.org/news.html
http://bugzilla.gnome.org/show_bug.cgi?id=763071
https://groups.google.com/forum/#!topic/ruby-security-ann/RCHyF5K9Lbc
http://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-8-5/ba-p/1591710
https://bugs.chromium.org/p/chromium/issues/detail?id=629852
https://bugs.chromium.org/p/chromium/issues/detail?id=614405
http://www-01.ibm.com/support/docview.wss?uid=swg21989043
https://www.debian.org/security/2016/dsa-3593
https://www.alienvault.com/forums/discussion/7243/security-advisory-alienvault-v5-2-5-addresses-26-vulnerabilities
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00012.html
http://www.ubuntu.com/usn/usn-2994-1/
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00029.html
https://www.suse.com/support/update/announcement/2016/suse-su-20161538-1.html
http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html
http://www.splunk.com/view/SP-CAAAPQM
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://seclists.org/bugtraq/2016/Jun/14
https://bugzilla.gnome.org/show_bug.cgi?id=759020
https://bugzilla.gnome.org/show_bug.cgi?id=759398
https://support.apple.com/en-us/HT206903
https://support.apple.com/en-us/HT206902
https://support.apple.com/en-us/HT206904
https://support.apple.com/en-us/HT206905
https://support.apple.com/en-us/HT206901
https://support.apple.com/en-us/HT206899
http://seclists.org/bugtraq/2016/Jul/75
http://seclists.org/bugtraq/2016/Jul/76
http://seclists.org/bugtraq/2016/Jul/77
http://seclists.org/bugtraq/2016/Jul/78
http://seclists.org/bugtraq/2016/Jul/79
http://seclists.org/bugtraq/2016/Jul/80
http://jvn.jp/vu/JVNVU94844193/index.html
https://bugzilla.gnome.org/show_bug.cgi?id=760263
https://bugzilla.gnome.org/show_bug.cgi?id=758605
https://bugzilla.gnome.org/show_bug.cgi?id=757711
https://bugs.chromium.org/p/project-zero/issues/detail?id=782
https://bugs.chromium.org/p/project-zero/issues/detail?id=783
http://www.zerodayinitiative.com/advisories/ZDI-16-361/
http://www.zerodayinitiative.com/advisories/ZDI-16-360/
http://www.zerodayinitiative.com/advisories/ZDI-16-346/
http://www.zerodayinitiative.com/advisories/ZDI-16-347/
https://bugs.chromium.org/p/project-zero/issues/detail?id=776
http://www.zerodayinitiative.com/advisories/ZDI-16-344/
https://bugs.chromium.org/p/project-zero/issues/detail?id=784
http://protekresearchlab.com/cosig-2016-19/
http://www.theregister.co.uk/2016/07/21/wavering_about_apples_latest_security_fix_dont_says_talos/
http://www.infosecurity-magazine.com/news/stagefright-returns-users-urged-to/
http://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-file/
http://www.talosintelligence.com/reports/TALOS-2016-0183/