About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
This document describes the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Apple's latest software for the Mac, macOS Sierra 10.12.5, has been released for all compatible computers. Here's how you can download and install it right away. Stay Up to Date with the Latest. Jul 19, 2017 The macOS Sierra 10.12.6 Update improves the security, stability, and compatibility of your Mac, and is recommended for all users. Enterprise content: Resolves an issue that prevents making certain SMB connections from the Finder. Operating System: macOS 10.12 Sierra Hi. Can any one help in guiding how can I install Driver of HP Laserjet 1020 Plus printer in Mac Book Pro having Mac OS Sierra 10.12.5. MacOS Sierra 10.12.5. Available for: Any Mac running macOS Sierra 10.12.4. Listed as an update that improves the stability, compatibility, and security of your Mac, it mentions the following as being new and improved: Fixes an issue where audio may stutter when played through USB headphones.
Apple security documents reference vulnerabilities by CVE-ID when possible.
macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite
Released July 19, 2017
afclip
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-7016: riusksk (泉哥) of Tencent Security Platform Department
afclip
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7033: riusksk (泉哥) of Tencent Security Platform Department
AppleGraphicsControl
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13853: shrek_wzw from Qihoo 360 NirvanTeam
Entry added November 2, 2017
AppleGraphicsPowerManagement
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team
Audio
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7015: riusksk (泉哥) of Tencent Security Platform Department
Bluetooth
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7050: Min (Spark) Zheng of Alibaba Inc.
CVE-2017-7051: Alex Plaskett of MWR InfoSecurity
Bluetooth
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7054: Alex Plaskett of MWR InfoSecurity, Lufeng Li of Qihoo 360 Vulcan Team
Contacts
Available for: macOS Sierra 10.12.5
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A buffer overflow issue was addressed through improved memory handling.
CVE-2017-7062: Shashank (@cyberboyIndia)
CoreAudio
Available for: macOS Sierra 10.12.5
Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team
curl
Available for: macOS Sierra 10.12.5
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to version 7.54.0.
CVE-2016-9586
CVE-2016-9594
CVE-2017-2629
CVE-2017-7468
Foundation
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-7031: HappilyCoded (ant4g0nist and r3dsm0k3)
Font Importer
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: A memory corruption issue was addressed through improved input validation.
CVE-2017-13850: John Villamil, Doyensec
Entry added October 31, 2017
Intel Graphics Driver
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7014: Lee of Minionz, Axis and sss of Qihoo 360 Nirvan Team
CVE-2017-7017: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7035: shrek_wzw of Qihoo 360 Nirvan Team
CVE-2017-7044: shrek_wzw of Qihoo 360 Nirvan Team
Intel Graphics Driver
Available for: macOS Sierra 10.12.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7036: shrek_wzw of Qihoo 360 Nirvan Team
CVE-2017-7045: shrek_wzw of Qihoo 360 Nirvan Team
IOUSBFamily
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7022: an anonymous researcher
CVE-2017-7024: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7023: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7025: an anonymous researcher
CVE-2017-7027: an anonymous researcher
CVE-2017-7069: Proteas of Qihoo 360 Nirvan Team
Kernel
Mac Sierra
Available for: macOS Sierra 10.12.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7026: an anonymous researcher
Kernel
Macos Sierra Dmg File Download
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7028: an anonymous researcher
CVE-2017-7029: an anonymous researcher
Kernel
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-7067: shrek_wzw of Qihoo 360 Nirvan Team
kext tools
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7032: Axis and sss of Qihoo 360 Nirvan Team
libarchive
Available for: macOS Sierra 10.12.5
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
Description: A buffer overflow was addressed through improved bounds checking.
CVE-2017-7068: found by OSS-Fuzz
libxml2
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-7010: Apple
CVE-2017-7013: found by OSS-Fuzz
libxpc
Available for: macOS Sierra 10.12.5 and OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7047: Ian Beer of Google Project Zero
Wi-Fi
Available for: macOS Sierra 10.12.5
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7065: Gal Beniamini of Google Project Zero
Entry added September 25, 2017
Wi-Fi
Available for: macOS Sierra 10.12.5
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-9417: Nitay Artenstein of Exodus Intelligence
2009 Mac Os
macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite includes the security content of Safari 10.1.2.
Additional recognition
Macos Sierra 10.12.5
curl
We would like to acknowledge Dave Murdock of Tangerine Element for their assistance.