Home Original page

About the security content of Safari 10

Released September 20, 2016

Safari Reader

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting

Description: Multiple validation issues were addressed through improved input sanitization.

CVE-2016-4618: Erling Ellingsen

Entry updated September 23, 2016

Safari Tabs

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A state management issue existed in the handling of tab sessions. This issue was addressed through session state management.

CVE-2016-4751: Daniel Chatfield of Monzo Bank

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation.

CVE-2016-4728: Daniel Divricean

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.

CVE-2016-4758: Masato Kinugawa of Cure53

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4611: Apple

CVE-2016-4729: Apple

CVE-2016-4730: Apple

CVE-2016-4731: Apple

CVE-2016-4734: natashenka of Google Project Zero

CVE-2016-4735: André Bargull

CVE-2016-4737: Apple

CVE-2016-4759: Tongbo Luo of Palo Alto Networks

CVE-2016-4762: Zheng Huang of Baidu Security Lab

CVE-2016-4766: Apple

CVE-2016-4767: Apple

CVE-2016-4768: Anonymous working with Trend Micro's Zero Day Initiative

CVE-2016-4769: Tongbo Luo of Palo Alto Networks

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: A malicious website may be able to access non-HTTP services

Description: Safari's support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.

CVE-2016-4760: Jordan Milne

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved state management.

CVE-2016-4733: natashenka of Google Project Zero

CVE-2016-4765: Apple

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS

Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation.

CVE-2016-4763: an anonymous researcher

WebKit

Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved state management.

CVE-2016-4764: Apple

Entry added November 3, 2016