-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-09-20-2 Safari 10 Safari 10 is now available and addresses the following: Safari Reader Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting Description: Multiple validation issues were addressed through improved input sanitization. CVE-2016-4618 : an anonymous researcher Safari Tabs Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Visiting a malicious website may lead to address bar spoofing Description: A state management issue existed in the handling of tab sessions. This issue was addressed through session state management. CVE-2016-4751 : Daniel Chatfield of Monzo Bank WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation. CVE-2016-4728 : Daniel Divricean WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Visiting a maliciously crafted website may leak sensitive data Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks. CVE-2016-4758 : Masato Kinugawa of Cure53 WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4611 : Apple CVE-2016-4729 : Apple CVE-2016-4730 : Apple CVE-2016-4731 : Apple CVE-2016-4734 : Natalie Silvanovich of Google Project Zero CVE-2016-4735 : André Bargull CVE-2016-4737 : Apple CVE-2016-4759 : Tongbo Luo of Palo Alto Networks CVE-2016-4762 : Zheng Huang of Baidu Security Lab CVE-2016-4766 : Apple CVE-2016-4767 : Apple CVE-2016-4768 : Anonymous working with Trend Micro's Zero Day Initiative WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: A malicious website may be able to access non-HTTP services Description: Safari's support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version. CVE-2016-4760 : Jordan Milne WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved state management. CVE-2016-4733 : Natalie Silvanovich of Google Project Zero CVE-2016-4765 : Apple WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation. CVE-2016-4763 : an anonymous researcher WebKit Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS 10.12 Sierra Impact: Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4769 : Tongbo Luo of Palo Alto Networks Safari 10 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJX4XGCAAoJEIOj74w0bLRG15kP/AoBCDYAJ/XNFwT62dKxgeZM 9iO/A+69fxRWpCKGzOEfU4/c/X2j5qIL889gXGa78az1DtOBArqPUEzd1jWnIw63 lg4nwTrCoSU27+G4fepd12dMi9Om4Lyc0yk0hlJtBDXiR+3YJCAOYhUQJDejTcC7 WbeNpuqErioob0BmvHR9rQArnjI58SOy0RgZcsWBp+hV561Q18X8CQ7KmOjjECH1 a4yf2UOsoQ3BMAgPZuNOOTQ1ORIBi0kp/0ximwetnJluarW4qitjOrGd1zz3ma2f uanKgxyHXgu2uF4CBQ2kXyS3/fP2SBnk7IpuFxhd5mydU/Y5DMWSvkmXZN/ugAzi f6GG2Iy0n3SkDsjJtk3xHCs0PEYwvJF1r/vmLoE762KCm9O753gPY7oOJY52Mkgq xG4hyknpbtJmwwRdXPoCFVCCIhL4lWvptyNnkZiDaxbgIdMpsGg/jQXP9dgMZLKf pMZA2iVI/veErZzRu+9GGES4oC5OxAKGBaeyDEleTfCqdDIEysYh3XvjAHD76dDs 7fglUYbnYYsfPWl/26TS1LnSq82pCXZ76n1wNC59cvK3fzSO7Tj1JXUiecwR8ihl 94p1FSKqHUDx/2ynfvCn4VfdrHYcsY+t81xQeHfsOlHUH7SPkz31XpgtFLmLmyIa BNWrPBJoffIkp7eY1kI2 =RFSt -----END PGP SIGNATURE-----
