Operating System:

[OSX]

Published:

19 July 2016

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1771
           OS X El Capitan v10.11.6 and Security Update 2016-004
                               19 July 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OS X El Capitan
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Administrator Compromise        -- Remote with User Interaction
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4652 CVE-2016-4650 CVE-2016-4649
                   CVE-2016-4648 CVE-2016-4647 CVE-2016-4646
                   CVE-2016-4645 CVE-2016-4641 CVE-2016-4640
                   CVE-2016-4639 CVE-2016-4638 CVE-2016-4637
                   CVE-2016-4635 CVE-2016-4634 CVE-2016-4633
                   CVE-2016-4632 CVE-2016-4631 CVE-2016-4630
                   CVE-2016-4629 CVE-2016-4626 CVE-2016-4625
                   CVE-2016-4621 CVE-2016-4619 CVE-2016-4616
                   CVE-2016-4615 CVE-2016-4614 CVE-2016-4612
                   CVE-2016-4610 CVE-2016-4609 CVE-2016-4608
                   CVE-2016-4607 CVE-2016-4602 CVE-2016-4601
                   CVE-2016-4600 CVE-2016-4599 CVE-2016-4598
                   CVE-2016-4597 CVE-2016-4596 CVE-2016-4595
                   CVE-2016-4594 CVE-2016-4582 CVE-2016-4483
                   CVE-2016-4449 CVE-2016-4448 CVE-2016-4447
                   CVE-2016-2176 CVE-2016-2109 CVE-2016-2108
                   CVE-2016-2107 CVE-2016-2106 CVE-2016-2105
                   CVE-2016-1865 CVE-2016-1864 CVE-2016-1863
                   CVE-2016-1836 CVE-2016-1684 CVE-2016-0718
                   CVE-2014-9862  

Reference:         ASB-2016.0065
                   ESB-2016.1235
                   ESB-2016.1233
                   ESB-2016.1232
                   ESB-2016.1076

Original Bulletin: 
   https://support.apple.com/en-au/HT206903

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update
2016-004

OS X El Capitan v10.11.6 and Security Update 2016-004 is now
available and addresses the following:

apache_mod_php
Available for:  
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple issues existed in PHP versions prior to
5.5.36. These were addressed by updating PHP to version 5.5.36.
CVE-2016-4650

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to determine kernel memory layout
Description:  An out-of-bounds read was addressed through improved
input validation.
CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  Parsing a maliciously crafted audio file may lead to the
disclosure of user information
Description:  An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4646 : Steven Seeley of Source Incite working with Trend
Micro's Zero Day Initiative

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to cause a system denial of service
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro

bsdiff
Available for:  OS X El Capitan v10.11 and later
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  An integer overflow existed in bspatch. This issue was
addressed through improved bounds checking.
CVE-2014-9862 : an anonymous researcher

CFNetwork
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to view sensitive user information
Description:  A permissions issue existed in the handling of web
browser cookies. This issue was addressed through improved
restrictions.
CVE-2016-4645 : Abhinav Bansal of Zscaler Inc.

CoreGraphics
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

CoreGraphics
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to elevate privileges
Description:  An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

FaceTime
Available for:  OS X El Capitan v10.11 and later
Impact:  An attacker in a privileged network position may be able to
cause a relayed call to continue transmitting audio while appearing
as if the call terminated
Description:  User interface inconsistencies existed in the handling
of relayed calls. These issues were addressed through improved
FaceTime display logic.
CVE-2016-4635 : Martin Vigo

Graphics Drivers
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4634 : Stefan Esser of SektionEins

ImageIO
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to cause a denial of service
Description:  A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex

ImageIO
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

ImageIO
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

Intel Graphics Driver
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4633 : an anonymous researcher

IOHIDFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins

IOSurface
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A use-after-free was addressed through improved memory
management.
CVE-2016-4625 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team

Kernel
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to cause a system denial of service
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent

libc++abi
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
root privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4621 : an anonymous researcher

libexpat
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-0718 : Gustavo Grieco

LibreSSL
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple issues existed in LibreSSL before 2.2.7. These
were addressed by updating LibreSSL to version 2.2.7.
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google) Mark Brand,
Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter

libxml2
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description:  An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany

libxml2
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Multiple vulnerabilities in libxml2
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck

libxslt
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Multiple vulnerabilities in libxslt
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas Grégoire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas Grégoire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas Grégoire

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to execute arbitrary
code leading to compromise of user information
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to execute arbitrary
code leading to the compromise of user information
Description:  A type confusion issue was addressed through improved
memory handling.
CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to cause a denial of service
Description:  A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to gain root privileges
Description:  A type confusion issue was addressed through improved
memory handling.
CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

OpenSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in OpenSSL. These issues were resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 0.9.8.
CVE-2016-2105 : Guido Vranken
CVE-2016-2106 : Guido Vranken
CVE-2016-2107 : Juraj Somorovsky
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
CVE-2016-2176 : Guido Vranken

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4596 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4597 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4600 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4602 : Ke Liu of Tencent's Xuanwu Lab

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted image may lead to arbitrary
code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4598 : Ke Liu of Tencent's Xuanwu Lab

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted SGI file may lead to
arbitrary code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4601 : Ke Liu of Tencent's Xuanwu Lab

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4599 : Ke Liu of Tencent's Xuanwu Lab

Safari Login AutoFill
Available for:  OS X El Capitan v10.11 and later
Impact:  A user's password may be visible on screen
Description:  An issue existed in Safari's password auto-fill. This
issue was addressed through improved matching of form fields.
CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD

Sandbox Profiles
Available for:  OS X El Capitan v10.11 and later
Impact:  A local application may be able to access the process list
Description:  An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins

Note: OS X El Capitan 10.11.6 includes the security content of Safari
9.1.2. For further details see https://support.apple.com/kb/HT206900


OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXjXAvAAoJEIOj74w0bLRG/5EP/2v9SJTrO+/4b3A1gqC1ch8y
+cJ04tXRsO7rvjKT5nCylo30U0Sanz/bUbDx4559YS7/P/IyeyZVheaTJwK8wzEy
pSOPpy35hUuVIw0/p4YsuHDThSBPFMmDljTxH7elkfuBV1lPSrCkyDXc0re2HxWV
xj68zAxtM0jkkhgcxb2ApZSZVXhrjUZtbY0xEVOoWKKFwbMvKfx+4xSqunwQeS1u
wevs1EbxfvsZbc3pG+xYcOonbegBzOy9aCvNO1Yv1zG+AYXC5ERMq1vk3PsWOTQN
ZVY1I7mvCaEfvmjq2isRw8XYapAIKISDLwMKBSYrZDQFwPQLRi1VXxQZ67Kq1M3k
ah04/lr0RIcoosIcBqxD2+1UAFjUzEUNFkYivjhuaeegN2QdL7Ujegf1QjdAt8lk
mmKduxYUDOaRX50Kw7n14ZveJqzE1D5I6QSItaZ9M1vR60a7u91DSj9D87vbt1YC
JM/Rvf/4vonp1NjwA2JQwCiZfYliBDdn9iiCl8mzxdsSRD/wXcZCs05nnKmKsCfc
55ET7IwdG3622lVheOJGQZuucwJiTn36zC11XVzZysQd/hLD5rUKUQNX1WOgZdzs
xPsslXF5MWx9jcdyWVSWxDrN0sFk+GpQFQDuVozP60xuxqR3qQ0TXir2NP39uIF5
YozOGPQFmX0OviWCQsX6
=ng+m
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV42Woox+lLeg9Ub1AQgt4g//RJOvN+lfX3xM+N9MhG6QZDwvlBILYYbT
MD1VkajE3CcnoZuKZDqw7Tcz25kUK5NctBzFx+zsyxtbKHteG2WyqZbWg/YKqQM5
MRIiXUEidOXhZmGAZSSXM5PB6QnyNixAdHp3L7UClkNLMlY0J5CdT6PTsSnlLgqn
0IWOdrE/4x7Aspb6fX2PrVgYopSM93LDeuWQnyse82gopWmohncaI5qETs1J8lqC
2yHSpWhx24tp43JhBP0oi0Ri5zbKbSoIPUyupO2EHwm7ljUBU/etAclmmAhiLKHB
XulvB9fGZRedNqD76yfMcX0c9oj6uLfrKtEfpH9gwzxMs1W6al0UeYfnhb3r50SL
lCrkEOkSyDzlYu7g6oyZL6/YhGRC5a03gznxZGc76HtP6Al0dLDpUwdcUA8BrwR+
2h5nT0XOqVMC0Bk/jkIg6em290gcHWjzreTBL0TYTgDkTarY8PH5TUzCFENh5HJ1
oOwMyN+sxMErfLX9yfhywt5b7eVDZGzQd3JE1Dw2KDL/xT56PfwWLxyxpFyb8SmG
1dqlBbTKw6nKwtk6/UY7TFmBlF+Zp9qP2E9yMzwDWe19wlJRnP/I6DOL3coSedA8
dlgS1VbNi8kl1bWaRnbXXmNd8ohpxUHR2iSg8Z5cvNEve3d3OkMBuyTSelllkIN8
o4y8oTnJJc4=
=cjQQ
-----END PGP SIGNATURE-----