Apple released the final version of macOS Sierra 10.12 that fixes 65 security vulnerabilities.
Suffering from 16 holes, the “apache_mod_php” module responsible for interpreting PHP code was the most affected component in the platform.
The most significant of these issues could lead to unexpected application termination or arbitrary code execution. Apple resolved these vulnerabilities by updating PHP to version 5.6.24.
Other affected areas include Apple’s implementation of Apache, AppleEFIRuntime, Application Firewall, Audio, Bluetooth, CFNetwork, CommonCrypto, CoreCrypto, curl, FontParser, Intel Graphics Driver, IOAcceleratorFamily, Kernel, libarchive, libxml2, Terminal, and WindowServer.
Most of the vulnerabilities ended up reported by external researchers, but Apple found some themselves.
Arbitrary code execution was the vulnerability with the largest number of occurrences in Apple’s security advisory.
Some of these could result in the execution of code with kernel or system privileges. Vulnerabilities that could result in denial of service or leaked user information were also in this release.
In addition to macOS Sierra 10.12, which resolves vulnerabilities in OS X El Capitan v10.11.6, Apple also released macOS Server 5.2 and Safari 10, to address additional security bugs, along with iCloud for Windows 6.0, which is available for Windows 7 and later with a patch for a WebKit flaw that could lead to arbitrary code execution when processing maliciously crafted web content.
macOS Server 5.2 is available for macOS Sierra 10.12 with patches for two issues, one in apache and another in the ServerDocs Server component. By exploiting the ServerDocs Server vulnerability (CVE-2016-4754), an attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm. To resolve the bug, Apple removed RC4 as a supported cipher.
Safari 10 shipped with patches for 21 vulnerabilities in three components, Safari Reader, Safari Tabs, and WebKit. The new browser release is available for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12, Apple said.
Safari Reader and Safari Tabs had one vulnerability each, namely a universal cross site scripting (CVE-2016-4618) and an address bar spoofing flaw (CVE-2016-4751) respectively. WebKit had 19 bugs, including 15 memory corruption issues and a parsing issue in the handling of error prototypes, all of which could result in arbitrary code execution.
Other vulnerabilities addressed in Safari 10 could result in leaked sensitive data or in malicious websites accessing non-HTTP services. A certificate validation issue in the handling of WKWebView could allow an attacker in a privileged network position to intercept and alter network traffic to applications using WKWebView with HTTPS.