
====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN281
_____________________________________________________________________
DATE                : 19/07/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Safari web browser


=====================================================================

  https://support.apple.com/en-au/HT201222
____________________________________________________________________


APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update
2016-004

OS X El Capitan v10.11.6 and Security Update 2016-004 is now
available and addresses the following:

apache_mod_php
Available for:
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple issues existed in PHP versions prior to
5.5.36. These were addressed by updating PHP to version 5.5.36.
CVE-2016-4650

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to determine kernel memory layout
Description:  An out-of-bounds read was addressed through improved
input validation.
CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  Parsing a maliciously crafted audio file may lead to the
disclosure of user information
Description:  An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4646 : Steven Seeley of Source Incite working with Trend
Micro's Zero Day Initiative

Audio
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to cause a system denial of service
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro

bsdiff
Available for:  OS X El Capitan v10.11 and later
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  An integer overflow existed in bspatch. This issue was
addressed through improved bounds checking.
CVE-2014-9862 : an anonymous researcher

CFNetwork
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to view sensitive user information
Description:  A permissions issue existed in the handling of web
browser cookies. This issue was addressed through improved
restrictions.
CVE-2016-4645 : Abhinav Bansal of Zscaler Inc.

CoreGraphics
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

CoreGraphics
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to elevate privileges
Description:  An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

FaceTime
Available for:  OS X El Capitan v10.11 and later
Impact:  An attacker in a privileged network position may be able to
cause a relayed call to continue transmitting audio while appearing
as if the call terminated
Description:  User interface inconsistencies existed in the handling
of relayed calls. These issues were addressed through improved
FaceTime display logic.
CVE-2016-4635 : Martin Vigo

Graphics Drivers
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4634 : Stefan Esser of SektionEins

ImageIO
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to cause a denial of service
Description:  A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex

ImageIO
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

ImageIO
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)

Intel Graphics Driver
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4633 : an anonymous researcher

IOHIDFamily
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins

IOSurface
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A use-after-free was addressed through improved memory
management.
CVE-2016-4625 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team

Kernel
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to cause a system denial of service
Description:  A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent

libc++abi
Available for:  OS X El Capitan v10.11 and later
Impact:  An application may be able to execute arbitrary code with
root privileges
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4621 : an anonymous researcher

libexpat
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-0718 : Gustavo Grieco

LibreSSL
Available for:  OS X El Capitan v10.11 and later
Impact:  A remote attacker may be able to execute arbitrary code
Description:  Multiple issues existed in LibreSSL before 2.2.7. These
were addressed by updating LibreSSL to version 2.2.7.
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David 
Benjamin (Google) Mark Brand,
Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter

libxml2
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description:  An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany

libxml2
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Multiple vulnerabilities in libxml2
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck

libxslt
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact:  Multiple vulnerabilities in libxslt
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas GrÃƒÂ©goire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas GrÃƒÂ©goire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas GrÃƒÂ©goire

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to execute arbitrary
code leading to compromise of user information
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to execute arbitrary
code leading to the compromise of user information
Description:  A type confusion issue was addressed through improved
memory handling.
CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A local user may be able to cause a denial of service
Description:  A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

Login Window
Available for:  OS X El Capitan v10.11 and later
Impact:  A malicious application may be able to gain root privileges
Description:  A type confusion issue was addressed through improved
memory handling.
CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative

OpenSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in OpenSSL. These issues were 
resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 
0.9.8.
CVE-2016-2105 : Guido Vranken
CVE-2016-2106 : Guido Vranken
CVE-2016-2107 : Juraj Somorovsky
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David 
Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
CVE-2016-2176 : Guido Vranken

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description:  Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4596 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4597 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4600 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4602 : Ke Liu of Tencent's Xuanwu Lab

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted image may lead to arbitrary
code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4598 : Ke Liu of Tencent's Xuanwu Lab

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted SGI file may lead to
arbitrary code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4601 : Ke Liu of Tencent's Xuanwu Lab

QuickTime
Available for:  OS X El Capitan v10.11 and later
Impact:  Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description:  A memory corruption issue was addressed through
improved input validation.
CVE-2016-4599 : Ke Liu of Tencent's Xuanwu Lab

Safari Login AutoFill
Available for:  OS X El Capitan v10.11 and later
Impact:  A user's password may be visible on screen
Description:  An issue existed in Safari's password auto-fill. This
issue was addressed through improved matching of form fields.
CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD

Sandbox Profiles
Available for:  OS X El Capitan v10.11 and later
Impact:  A local application may be able to access the process list
Description:  An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins

Note: OS X El Capitan 10.11.6 includes the security content of Safari
9.1.2. For further details see https://support.apple.com/kb/HT206900


OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222



==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================