Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.
macOS Sierra 10.12 fixed 65 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:
- CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
- CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program
These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.
Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.
With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.