-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0746
           OS X El Capitan 10.11.4 and Security Update 2016-002
                               22 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OS X
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1950 CVE-2016-1788 CVE-2016-1775
                   CVE-2016-1773 CVE-2016-1770 CVE-2016-1769
                   CVE-2016-1768 CVE-2016-1767 CVE-2016-1764
                   CVE-2016-1762 CVE-2016-1761 CVE-2016-1759
                   CVE-2016-1758 CVE-2016-1757 CVE-2016-1756
                   CVE-2016-1755 CVE-2016-1754 CVE-2016-1753
                   CVE-2016-1752 CVE-2016-1750 CVE-2016-1749
                   CVE-2016-1748 CVE-2016-1747 CVE-2016-1746
                   CVE-2016-1745 CVE-2016-1744 CVE-2016-1743
                   CVE-2016-1741 CVE-2016-1740 CVE-2016-1738
                   CVE-2016-1737 CVE-2016-1736 CVE-2016-1735
                   CVE-2016-1734 CVE-2016-1733 CVE-2016-1732
                   CVE-2016-0802 CVE-2016-0801 CVE-2016-0778
                   CVE-2016-0777 CVE-2015-8659 CVE-2015-8472
                   CVE-2015-8242 CVE-2015-8126 CVE-2015-8035
                   CVE-2015-7942 CVE-2015-7551 CVE-2015-7500
                   CVE-2015-7499 CVE-2015-5334 CVE-2015-5333
                   CVE-2015-5312 CVE-2015-3195 CVE-2015-1819
                   CVE-2015-0973 CVE-2014-9495 

Reference:         ASB-2016.0025
                   ASB-2016.0020
                   ESB-2016.0743
                   ESB-2016.0742
                   ESB-2016.0741
                   ASB-2016.0018.2

Original Bulletin: 
   https://support.apple.com/en-au/HT206167

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update
2016-002

OS X El Capitan 10.11.4 and Security Update 2016-002 is now available
and addresses the following:

apache_mod_php
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description:  Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by updating libpng to version
1.6.20.
CVE-ID
CVE-2015-8126 : Adam Mari
CVE-2015-8472 : Adam Mari

AppleRAID
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team

AppleRAID
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  A local user may be able to determine kernel memory layout
Description:  An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-ID
CVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team

AppleUSBNetworking
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
data from USB devices. This issue was addressed through improved
input validation.
CVE-ID
CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path

Bluetooth
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1735 : Jeonghoon Shin@A.D.D
CVE-2016-1736 : beist and ABH of BoB

Carbon
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted .dfont file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
handling of font files. These issues were addressed through improved
bounds checking.
CVE-ID
CVE-2016-1737 : an anonymous researcher

dyld
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An attacker may tamper with code-signed applications to
execute arbitrary code in the application's context
Description:  A code signing verification issue existed in dyld. This
issue was addressed with improved validation.
CVE-ID
CVE-2016-1738 : beist and ABH of BoB

FontParser
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with
Trend Micro's Zero Day Initiative (ZDI)

HTTPProtocol
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple vulnerabilities existed in nghttp2 versions
prior to 1.6.0, the most serious of which may have led to remote code
execution. These were addressed by updating nghttp2 to version 1.6.0.
CVE-ID
CVE-2015-8659

Intel Graphics Driver
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1743 : Piotr Bania of Cisco Talos
CVE-2016-1744 : Ian Beer of Google Project Zero

IOFireWireFamily
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  A local user may be able to cause a denial of service
Description:  A null pointer dereference was addressed through
improved validation.
CVE-ID
CVE-2016-1745 : sweetchip of Grayhash

IOGraphics
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-ID
CVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro's
Zero Day Initiative (ZDI)
CVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro's
Zero Day Initiative (ZDI)

IOHIDFamily
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to determine kernel memory layout
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-ID
CVE-2016-1748 : Brandon Azad

IOUSBFamily
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of
Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A use after free issue was addressed through improved
memory management.
CVE-ID
CVE-2016-1750 : CESG

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A race condition existed during the creation of new
processes. This was addressed through improved state handling.
CVE-ID
CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaca

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-ID
CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team

Kernel
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2016-1755 : Ian Beer of Google Project Zero
CVE-2016-1759 : lokihardt

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to determine kernel memory layout
Description:  An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-ID
CVE-2016-1758 : Brandon Azad

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple integer overflows were addressed through
improved input validation.
CVE-ID
CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero
Day Initiative (ZDI)

Kernel
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to cause a denial of service
Description:  A denial of service issue was addressed through
improved validation.
CVE-ID
CVE-2016-1752 : CESG

libxml2
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact:  Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-1819
CVE-2015-5312 : David Drysdale of Google
CVE-2015-7499
CVE-2015-7500 : Kostya Serebryany of Google
CVE-2015-7942 : Kostya Serebryany of Google
CVE-2015-8035 : gustavo.grieco
CVE-2015-8242 : Hugh Davenport
CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day
Initiative (ZDI)
CVE-2016-1762

Messages
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An attacker who is able to bypass Apple's certificate
pinning, intercept TLS connections, inject messages, and record
encrypted attachment-type messages may be able to read attachments
Description:  A cryptographic issue was addressed by rejecting
duplicate messages on the client.
CVE-ID
CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk,
Ian Miers, and Michael Rushanan of Johns Hopkins University

Messages
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Clicking a JavaScript link can reveal sensitive user
information
Description:  An issue existed in the processing of JavaScript links.
This issue was addressed through improved content security policy
checks.
CVE-ID
CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of
Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox

NVIDIA Graphics Drivers
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An application may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1741 : Ian Beer of Google Project Zero

OpenSSH
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact:  Connecting to a server may leak sensitive user information,
such as a client's private keys
Description:  Roaming, which was on by default in the OpenSSH client,
exposed an information leak and a buffer overflow. These issues were
addressed by disabling roaming in the client.
CVE-ID
CVE-2016-0777 : Qualys
CVE-2016-0778 : Qualys

OpenSSH
Available for:  OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5
Impact:  Multiple vulnerabilities in LibreSSL
Description:  Multiple vulnerabilities existed in LibreSSL versions
prior to 2.1.8. These were addressed by updating LibreSSL to version
2.1.8.
CVE-ID
CVE-2015-5333 : Qualys
CVE-2015-5334 : Qualys

OpenSSL
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  A remote attacker may be able to cause a denial of service
Description:  A memory leak existed in OpenSSL versions prior to
0.9.8zh. This issue was addressed by updating OpenSSL to version
0.9.8zh.
CVE-ID
CVE-2015-3195

Python
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description:  Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by updating libpng to version
1.6.20.
CVE-ID
CVE-2014-9495
CVE-2015-0973
CVE-2015-8126 : Adam Mari
CVE-2015-8472 : Adam Mari

QuickTime
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1767 : Francis Provencher from COSIG
CVE-2016-1768 : Francis Provencher from COSIG

QuickTime
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-ID
CVE-2016-1769 : Francis Provencher from COSIG

Reminders
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Clicking a tel link can make a call without prompting the
user
Description:  A user was not prompted before invoking a call. This
was addressed through improved entitlement checks.
CVE-ID
CVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of
Laurent.ca

Ruby
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  An unsafe tainted string usage vulnerability existed in
versions prior to 2.0.0-p648. This issue was addressed by updating to
version 2.0.0-p648.
CVE-ID
CVE-2015-7551

Security
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  A local user may be able to check for the existence of
arbitrary files
Description:  A permissions issue existed in code signing tools. This
was addressed though additional ownership checks.
CVE-ID
CVE-2016-1773 : Mark Mentovai of Google Inc.

Security
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted certificate may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the ASN.1 decoder.
This issue was addressed through improved input validation.
CVE-ID
CVE-2016-1950 : Francis Gabriel of Quarkslab

Tcl
Available for:  
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description:  Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by removing libpng.
CVE-ID
CVE-2015-8126 : Adam Mari

TrueTypeScaler
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day
Initiative (ZDI)

Wi-Fi
Available for:  OS X El Capitan v10.11 to v10.11.3
Impact:  An attacker with a privileged network position may be able
to execute arbitrary code
Description:  A frame validation and memory corruption issue existed
for a given ethertype. This issue was addressed through additional
ethertype validation and improved memory handling.
CVE-ID
CVE-2016-0801 : an anonymous researcher
CVE-2016-0802 : an anonymous researcher

OS X El Capitan 10.11.4 includes the security content of Safari 9.1.
https://support.apple.com/kb/HT206171

OS X El Capitan v10.11.4 and Security Update 2016-002 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJW8JQFAAoJEBcWfLTuOo7tZSYP/1bHFA1qemkD37uu7nYpk/q6
ARVsPgME1I1+5tOxX0TQJgzMBmdQsKYdsTiLpDk5HTuv+dAMsFfasaUItGk8Sz1w
HiYjSfVsxL+Pjz3vK8/4/fsi2lX6472MElRw8gudITOhXtniGcKo/vuA5dB+vM3l
Jy1NLHHhZ6BD2t0bBmlz41mZMG3AMxal2wfqE+5LkjUwASzcvC/3B1sh7Fntwyau
/71vIgMQ5AaETdgQJAuQivxPyTlFduBRgLjqvPiB9eSK4Ctu5t/hErFIrP2NiDCi
UhfZC48XbiRjJfkUsUD/5TIKnI+jkZxOnch9ny32dw2kUIkbIAbqufTkzsMXOpng
O+rI93Ni7nfzgI3EkI2bq+C+arOoRiveWuJvc3SMPD5RQHo4NCQVs0ekQJKNHF78
juPnY29n8WMjwLS6Zfm+bH+n8ELIXrmmEscRztK2efa9S7vJe+AgIxx7JE/f8OHF
i9K7UQBXFXcpMjXi1aTby/IUnpL5Ny4NVwYwIhctj0Mf6wTH7uf/FMWYIQOXcIfP
Izo+GXxNeLd4H2ypZ+UpkZg/Sn2mtCd88wLc96+owlZPBlSqWl3X1wTlp8i5FP2X
qlQ7RcTHJDv8jPT/MOfzxEK1n/azp45ahHA0o6nohUdxlA7PLci9vPiJxqKPo/0q
VZmOKa8qMxB1L/JmdCqy
=mZR+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvDMZ36ZAP0PgtI9AQIW8w/9Hz+FjjFLR3ZmHb1NphpP1k/FaXJef8mP
9ZL/kxZM6M+A3o7HBSQxEuQkW31IifcTVHrc23trwurqggFAd22OIzgbcxxF6qt4
78trjeOqAM8R49cxwOTT8dSptyN70BwNILq/lx/rvHU2Ev+Z5ka8HXOJhZyN/lTa
S5ei7aswTU+c8vZVCUYljlUC7qU8M/Dd0igDz08DuszUz50eygRCfD6lunynno3R
wwEz2Bp+7O9hbqw3WNbYgRMywe9ezJEA0Orl+FnHxdkj/amOkduOF8gT+zG3S/85
Lt4mWdCpYvg4bCMz9q3pBKl2S+8Zj2tN5eLWqntQ1gEYysp2g9ssPui2RH1zCcHC
dPnHTmMdUPwzIMDZxP+/G4H9upQlLfGTe7aGWwNFOaB0f/iGTu5S1FT6QaMXBOVs
aI/WCXx/Zhwulf9Mn6NVxDxhYN9wuqUieZRRn929aL88A/S4NNTo4uEbYAz7urX9
GhNUgYzMS78kqIAl8M6bkUbsv5uDEcWLhzMo9LEMlYnGMVbqWWcD9DXzpGx6V0Uf
LxDomM9iGjfQwSrZeMOKCB20IS3OcQHRiIid5L2ozEpOMk5BZSRYJ9GNQj4bU3XW
UQQZnaKFtAkRPDWeuOVnz7FmZou7EdktCRwW1OJwRF+1vruhaNp9VWAhEw+TeN2f
AViFCn8sDTM=
=ldwO
-----END PGP SIGNATURE-----