—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update
2016-004

OS X El Capitan v10.11.6 and Security Update 2016-004 is now
available and addresses the following:

apache_mod_php
Available for:
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in PHP versions prior to
5.5.36. These were addressed by updating PHP to version 5.5.36.
CVE-2016-4650

Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro

Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to determine kernel memory layout
Description: An out-of-bounds read was addressed through improved
input validation.
CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro

Audio
Available for: OS X El Capitan v10.11 and later
Impact: Parsing a maliciously crafted audio file may lead to the
disclosure of user information
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4646 : Steven Seeley of Source Incite working with Trend
Micro’s Zero Day Initiative

Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro

bsdiff
Available for: OS X El Capitan v10.11 and later
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in bspatch. This issue was
addressed through improved bounds checking.
CVE-2014-9862 : an anonymous researcher

CFNetwork
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to view sensitive user information
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed through improved
restrictions.
CVE-2016-4645 : Abhinav Bansal of Zscaler Inc.

CoreGraphics
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

CoreGraphics
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to elevate privileges
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend
Micro’s Zero Day Initiative

FaceTime
Available for: OS X El Capitan v10.11 and later
Impact: An attacker in a privileged network position may be able to
cause a relayed call to continue transmitting audio while appearing
as if the call terminated
Description: User interface inconsistencies existed in the handling
of relayed calls. These issues were addressed through improved
FaceTime display logic.
CVE-2016-4635 : Martin Vigo

Graphics Drivers
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4634 : Stefan Esser of SektionEins

ImageIO
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex

ImageIO
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

ImageIO
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

Intel Graphics Driver
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4633 : an anonymous researcher

IOHIDFamily
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins

IOSurface
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A use-after-free was addressed through improved memory
management.
CVE-2016-4625 : Ian Beer of Google Project Zero

Kernel
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team

Kernel
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent

libc++abi
Available for: OS X El Capitan v10.11 and later
Impact: An application may be able to execute arbitrary code with
root privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4621 : an anonymous researcher

libexpat
Available for: OS X El Capitan v10.11 and later
Impact: Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-0718 : Gustavo Grieco

LibreSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in LibreSSL before 2.2.7. These
were addressed by updating LibreSSL to version 2.2.7.
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google) Mark Brand,
Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter

libxml2
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany

libxml2
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck

libxslt
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire

Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code leading to compromise of user information
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend
Micro’s Zero Day Initiative

Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code leading to the compromise of user information
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend
Micro’s Zero Day Initiative

Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a denial of service
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend
Micro’s Zero Day Initiative

Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to gain root privileges
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend
Micro’s Zero Day Initiative

OpenSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in OpenSSL. These issues were resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 0.9.8.
CVE-2016-2105 : Guido Vranken
CVE-2016-2106 : Guido Vranken
CVE-2016-2107 : Juraj Somorovsky
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
CVE-2016-2176 : Guido Vranken

QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4596 : Ke Liu of Tencent’s Xuanwu Lab
CVE-2016-4597 : Ke Liu of Tencent’s Xuanwu Lab
CVE-2016-4600 : Ke Liu of Tencent’s Xuanwu Lab
CVE-2016-4602 : Ke Liu of Tencent’s Xuanwu Lab

QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4598 : Ke Liu of Tencent’s Xuanwu Lab

QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted SGI file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4601 : Ke Liu of Tencent’s Xuanwu Lab

QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4599 : Ke Liu of Tencent’s Xuanwu Lab

Safari Login AutoFill
Available for: OS X El Capitan v10.11 and later
Impact: A user’s password may be visible on screen
Description: An issue existed in Safari’s password auto-fill. This
issue was addressed through improved matching of form fields.
CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD

Sandbox Profiles
Available for: OS X El Capitan v10.11 and later
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins

Note: OS X El Capitan 10.11.6 includes the security content of Safari
9.1.2. For further details see https://support.apple.com/kb/HT206900

OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained
from the Mac App Store or Apple’s Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–
Comment: GPGTools – https://gpgtools.org

iQIcBAEBCgAGBQJXjXAvAAoJEIOj74w0bLRG/5EP/2v9SJTrO+/4b3A1gqC1ch8y
+cJ04tXRsO7rvjKT5nCylo30U0Sanz/bUbDx4559YS7/P/IyeyZVheaTJwK8wzEy
pSOPpy35hUuVIw0/p4YsuHDThSBPFMmDljTxH7elkfuBV1lPSrCkyDXc0re2HxWV
xj68zAxtM0jkkhgcxb2ApZSZVXhrjUZtbY0xEVOoWKKFwbMvKfx+4xSqunwQeS1u
wevs1EbxfvsZbc3pG+xYcOonbegBzOy9aCvNO1Yv1zG+AYXC5ERMq1vk3PsWOTQN
ZVY1I7mvCaEfvmjq2isRw8XYapAIKISDLwMKBSYrZDQFwPQLRi1VXxQZ67Kq1M3k
ah04/lr0RIcoosIcBqxD2+1UAFjUzEUNFkYivjhuaeegN2QdL7Ujegf1QjdAt8lk
mmKduxYUDOaRX50Kw7n14ZveJqzE1D5I6QSItaZ9M1vR60a7u91DSj9D87vbt1YC
JM/Rvf/4vonp1NjwA2JQwCiZfYliBDdn9iiCl8mzxdsSRD/wXcZCs05nnKmKsCfc
55ET7IwdG3622lVheOJGQZuucwJiTn36zC11XVzZysQd/hLD5rUKUQNX1WOgZdzs
xPsslXF5MWx9jcdyWVSWxDrN0sFk+GpQFQDuVozP60xuxqR3qQ0TXir2NP39uIF5
YozOGPQFmX0OviWCQsX6
=ng+m
—–END PGP SIGNATURE—–

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)