Monthly Archives: October 2016

US-CERT

Apple Releases Security Updates

Original release date: October 24, 2016

Apple has released security updates to address vulnerabilities in iOS, watchOS, tvOS, Safari, and macOS Sierra. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Apple security pages for iOS, watchOS, tvOS, Safari, and macOS Sierra and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Full Disclosure

APPLE-SA-2016-10-24-3 Safari 10.0.1

Posted by Apple Product Security on Oct 24

APPLE-SA-2016-10-24-3 Safari 10.0.1

Safari 10.0.1 is now available and addresses the following:

WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4666: Apple

WebKit
Available for: OS X Yosemite v10.10.5, OS X…

Full Disclosure

APPLE-SA-2016-10-24-4 tvOS 10.0.1

Posted by Apple Product Security on Oct 24

APPLE-SA-2016-10-24-4 tvOS 10.0.1

tvOS 10.0.1 is now available and addresses the following:

CFNetwork Proxies
Available for: Apple TV (4th generation)
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: A phishing issue existed in the handling of proxy
credentials. This issue was addressed by removing unsolicited proxy
password authentication prompts.
CVE-2016-7579: Jerry Decime…

Full Disclosure

APPLE-SA-2016-10-24-5 watchOS 3.1

Posted by Apple Product Security on Oct 24

APPLE-SA-2016-10-24-5 watchOS 3.1

watchOS 3.1 is now available and addresses the following:

CoreGraphics
Available for: All Apple Watch models
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent

FontParser
Available for: All Apple Watch models
Impact:…

Full Disclosure

APPLE-SA-2016-10-24-1 iOS 10.1

Posted by Apple Product Security on Oct 24

APPLE-SA-2016-10-24-1 iOS 10.1

iOS 10.1 is now available and addresses the following:

CFNetwork Proxies
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: A phishing issue existed in the handling of proxy
credentials. This issue was addressed by removing unsolicited proxy
password…

Full Disclosure

APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1

Posted by Apple Product Security on Oct 24

APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1

macOS Sierra 10.12.1 is now available and addresses the following:

AppleGraphicsControl
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
lock state checking.
CVE-2016-4662: Apple

AppleSMC
Available for: macOS Sierra 10.12
Impact: A…

Full Disclosure

Apple macOS 10.12.1/iOS 10 SecureTransport SSL handshake OCSP MiTM and DoS

Posted by [CXSEC] on Oct 24

Apple macOS 10.12.1/iOS 10 SecureTransport SSL handshake OCSP MiTM and DoS
Credit: Maksymilian Arciemowicz (https://cxsecurity.com/)
URL: https://cxsecurity.com/issue/WLB-2016100213

— 0. Description —-

The latest macOS and iOS have weak OCSP validation process which allow
attacker to send OCSP requests (up to 200k) in name of victim during
MiTM attack.

— 1. MiTM and handshake OCSP verification —
Apple’s SecureTransport trusts and…