Security Update 2017-006 is recommended for all users and improves the security of OS X.
This update includes the following improvements:
afclip
- Available for: macOS Sierra 10.12.5
- Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
- Description: A memory corruption issue was addressed through improved input validation.
- CVE-2017-7016: riusksk (泉哥) of Tencent Security Platform Department
afclip
Available for: macOS Sierra 10.12.5
- Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7033: riusksk (泉哥) of Tencent Security Platform Department
AppleGraphicsPowerManagement
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team
Audio
- Available for: macOS Sierra 10.12.5
- Impact: Processing a maliciously crafted audio file may disclose restricted memory
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7015: riusksk (泉哥) of Tencent Security Platform Department
Bluetooth
- Available for: macOS Sierra 10.12.5
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7050: Min (Spark) Zheng of Alibaba Inc.
- CVE-2017-7051: Alex Plaskett of MWR InfoSecurity
Bluetooth
- Available for: macOS Sierra 10.12.5
- Impact: An application may be able to execute arbitrary code with kernel privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7054: Alex Plaskett of MWR InfoSecurity, Lufeng Li of Qihoo 360 Vulcan Team
Contacts
- Available for: macOS Sierra 10.12.5
- Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
- Description: A buffer overflow issue was addressed through improved memory handling.
- CVE-2017-7062: Shashank (@cyberboyIndia)
CoreAudio
- Available for: macOS Sierra 10.12.5
- Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
- Description: A memory corruption issue was addressed with improved bounds checking.
- CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
curl
- Available for: macOS Sierra 10.12.5
- Impact: Multiple issues in curl
- Description: Multiple issues were addressed by updating to version 7.54.0.
- CVE-2016-9586
- CVE-2016-9594
- CVE-2017-2629
- CVE-2017-7468
Foundation
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: Processing a maliciously crafted file may lead to arbitrary code execution
- Description: A memory corruption issue was addressed through improved input validation.
- CVE-2017-7031: HappilyCoded (ant4g0nist and r3dsm0k3)
Intel Graphics Driver
- Available for: macOS Sierra 10.12.5
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7014: Lee of Minionz, Axis and sss of Qihoo 360 Nirvan Team
- CVE-2017-7017: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
- CVE-2017-7035: shrek_wzw of Qihoo 360 Nirvan Team
- CVE-2017-7044: shrek_wzw of Qihoo 360 Nirvan Team
Intel Graphics Driver
- Available for: macOS Sierra 10.12.5
- Impact: An application may be able to read restricted memory
- Description: A validation issue was addressed with improved input sanitization.
- CVE-2017-7036: shrek_wzw of Qihoo 360 Nirvan Team
- CVE-2017-7045: shrek_wzw of Qihoo 360 Nirvan Team
IOUSBFamily
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to execute arbitrary code with kernel privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team
Kernel
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7022: an anonymous researcher
- CVE-2017-7024: an anonymous researcher
Kernel
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to execute arbitrary code with kernel privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7023: an anonymous researcher
Kernel
- Available for: macOS Sierra 10.12.5
- Impact: An application may be able to execute arbitrary code with kernel privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7025: an anonymous researcher
- CVE-2017-7027: an anonymous researcher
- CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team
Kernel
- Available for: macOS Sierra 10.12.5
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7026: an anonymous researcher
Kernel
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to read restricted memory
- Description: A validation issue was addressed with improved input sanitization.
- CVE-2017-7028: an anonymous researcher
- CVE-2017-7029: an anonymous researcher
Kernel
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to read restricted memory
- Description: A validation issue was addressed with improved input sanitization.
- CVE-2017-7067: shrek_wzw of Qihoo 360 Nirvan Team
kext tools
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7032: Axis and sss of Qihoo 360 Nirvan Team
libarchive
- Available for: macOS Sierra 10.12.5
- Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
- Description: A buffer overflow was addressed through improved bounds checking.
- CVE-2017-7068: found by OSS-Fuzz
libxml2
- Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
- Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
- Description: An out-of-bounds read was addressed through improved bounds checking.
- CVE-2017-7010: Apple
- CVE-2017-7013: found by OSS-Fuzz
libxpc
- Available for: macOS Sierra 10.12.5 and OS X El Capitan 10.11.6
- Impact: An application may be able to execute arbitrary code with system privileges
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-7047: Ian Beer of Google Project Zero
Wi-Fi
- Available for: macOS Sierra 10.12.5
- Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
- Description: A memory corruption issue was addressed with improved memory handling.
- CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
Apple macOS Security Updates for previous versions: