Apple Security Update

Apple macOS Security Update 2017-003

Improve the security of macOS.

Download

Quick Facts

macOS
Upgrade/Patch
729 MB
8,857
1.4 11 votes

Security Update 2017-003 is recommended for all users and improves the security of OS X.

This update includes the following improvements:

afclip

  • Available for: macOS Sierra 10.12.5
  • Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed through improved input validation.
  • CVE-2017-7016: riusksk (泉哥) of Tencent Security Platform Department

afclip

Available for: macOS Sierra 10.12.5

  • Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7033: riusksk (泉哥) of Tencent Security Platform Department

AppleGraphicsPowerManagement

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team

Audio

  • Available for: macOS Sierra 10.12.5
  • Impact: Processing a maliciously crafted audio file may disclose restricted memory
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7015: riusksk (泉哥) of Tencent Security Platform Department

Bluetooth

  • Available for: macOS Sierra 10.12.5
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7050: Min (Spark) Zheng of Alibaba Inc.
  • CVE-2017-7051: Alex Plaskett of MWR InfoSecurity

Bluetooth

  • Available for: macOS Sierra 10.12.5
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7054: Alex Plaskett of MWR InfoSecurity, Lufeng Li of Qihoo 360 Vulcan Team

Contacts

  • Available for: macOS Sierra 10.12.5
  • Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
  • Description: A buffer overflow issue was addressed through improved memory handling.
  • CVE-2017-7062: Shashank (@cyberboyIndia)

CoreAudio

  • Available for: macOS Sierra 10.12.5
  • Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved bounds checking.
  • CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team

curl

  • Available for: macOS Sierra 10.12.5
  • Impact: Multiple issues in curl
  • Description: Multiple issues were addressed by updating to version 7.54.0.
  • CVE-2016-9586
  • CVE-2016-9594
  • CVE-2017-2629
  • CVE-2017-7468

Foundation

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: Processing a maliciously crafted file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed through improved input validation.
  • CVE-2017-7031: HappilyCoded (ant4g0nist and r3dsm0k3)

Intel Graphics Driver

  • Available for: macOS Sierra 10.12.5
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7014: Lee of Minionz, Axis and sss of Qihoo 360 Nirvan Team
  • CVE-2017-7017: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
  • CVE-2017-7035: shrek_wzw of Qihoo 360 Nirvan Team
  • CVE-2017-7044: shrek_wzw of Qihoo 360 Nirvan Team

Intel Graphics Driver

  • Available for: macOS Sierra 10.12.5
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization.
  • CVE-2017-7036: shrek_wzw of Qihoo 360 Nirvan Team
  • CVE-2017-7045: shrek_wzw of Qihoo 360 Nirvan Team

IOUSBFamily

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team

Kernel

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7022: an anonymous researcher
  • CVE-2017-7024: an anonymous researcher

Kernel

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7023: an anonymous researcher

Kernel

  • Available for: macOS Sierra 10.12.5
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7025: an anonymous researcher
  • CVE-2017-7027: an anonymous researcher
  • CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team

Kernel

  • Available for: macOS Sierra 10.12.5
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7026: an anonymous researcher

Kernel

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization.
  • CVE-2017-7028: an anonymous researcher
  • CVE-2017-7029: an anonymous researcher

Kernel

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization.
  • CVE-2017-7067: shrek_wzw of Qihoo 360 Nirvan Team

kext tools

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7032: Axis and sss of Qihoo 360 Nirvan Team

libarchive

  • Available for: macOS Sierra 10.12.5
  • Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
  • Description: A buffer overflow was addressed through improved bounds checking.
  • CVE-2017-7068: found by OSS-Fuzz

libxml2

  • Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
  • Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
  • Description: An out-of-bounds read was addressed through improved bounds checking.
  • CVE-2017-7010: Apple
  • CVE-2017-7013: found by OSS-Fuzz

libxpc

  • Available for: macOS Sierra 10.12.5 and OS X El Capitan 10.11.6
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-7047: Ian Beer of Google Project Zero

Wi-Fi

  • Available for: macOS Sierra 10.12.5
  • Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2017-9417: Nitay Artenstein of Exodus Intelligence