Apple released security patches resolving multiple vulnerabilities in iOS, macOS Sierra, Safari, tvOS, and watchOS.
Patches came out for iOS 10.1 for 13 vulnerabilities found in components such as CFNetwork Proxies, CoreGraphics, FaceTime, FontParser, Kernel, libarchive, libxpc, Sandbox Profiles, Security, System Boot, and WebKit.
The operating system update had an impact on iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, Apple said in its advisory.
Attackers exploiting these vulnerabilities could run arbitrary code on the affected devices, could leak sensitive user information, could disclose kernel memory, could execute arbitrary code with root privileges, overwrite arbitrary files, or observe the length of a login password when a user logs in. Two issues in Sandbox Profiles could allow an application to retrieve metadata of photo directories or metadata of audio recording directories.
A bug in FaceTime could allow an attacker in a privileged network position to cause a relayed call to continue transmitting audio while appearing as if the call terminated, Apple officials said.
A hole in System Boot could allow a local user to cause an unexpected system termination or arbitrary code execution in the kernel, while two issues in WebKit could lead to arbitrary code execution when processing maliciously crafted web content.
macOS Sierra 10.12.1 released with patches for 16 vulnerabilities affecting components such as AppleGraphicsControl, AppleSMC, ATS, CFNetwork Proxies, CoreGraphics, FaceTime, FontParser, ImageIO, libarchive, libxpc, ntfs, NVIDIA Graphics Drivers, Security, and System Boot.
Working exploits for these security issues could result in the execution of arbitrary code with kernel privileges or with additional privileges, elevation of privileges, arbitrary code execution, leaking sensitive user information, disclosure of process memory, and denial of service.
The newly released Safari 10.0.1 resolved three vulnerabilities in WebKit, Apple said. The first (CVE-2016-4613) could result in the disclosure of user information when maliciously crafted web content processes, while the other two (CVE-2016-4666 and CVE-2016-4677) could lead to arbitrary code execution in the same circumstances.