Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

SteveJobzniak

macrumors 6502
Original poster
Dec 24, 2015
489
780
I saw the new Sierra 10.12.6 and let it sit for a few days.

Now I just read through the changes:
https://support.apple.com/en-us/HT207921

Safari 10.1.2 (for macOS 10.12.6)

WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7040: Ivan Fratric of Google Project Zero
CVE-2017-7041: Ivan Fratric of Google Project Zero
CVE-2017-7042: Ivan Fratric of Google Project Zero
CVE-2017-7043: Ivan Fratric of Google Project Zero
CVE-2017-7046: Ivan Fratric of Google Project Zero
CVE-2017-7048: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Micro's Zero Day Initiative
CVE-2017-7055: The UK's National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
CVE-2017-7061: lokihardt of Google Project Zero

Guys... that's like 15 different memory exploits which allow malicious websites to run code on your system. Even if they just run with non-root privileges they could still install trojans, encrypting ransomware of all your personal files, spyware, etc.

But it gets worse! 10.12.6 itself has tons of fixes:

https://support.apple.com/en-us/HT207922

They've fixed tons of issues where viewing photos and videos can execute arbitrary code.

Including:
AppleGraphicsPowerManagement
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team

So a malicious app can run root code. And there's tons more of those that were fixed, allowing apps to run with system/kernel privileges. This is bad. Update immediately!

It's good that Apple is fixing all of this. This is a really critical OS update!
 
  • Like
Reactions: ikir
  • Like
Reactions: SteveJobzniak
Not to forget Broadpwn, which could be used to create worms that jump from device to device via Wifi. The presentation yesterday at Blackhat was quite impressive (and scary) ...

Yep, that one is very scary. I updated as soon as the iOS fix came out. Android devices often won't even get any firmware updates to fix it, hmm. Poor guys. They'll remain vulnerable.

Actually, stuff like this is why I don't jailbreak my iOS devices. I want to be on the latest OS releases to be sure I'm not running software full of security holes. Heck, jailbreaking itself is always done via a security hole that some badguy can also exploit.
 
The worst thing an user can say.
_______________________________________
My Mac has no problems with 10.11.6, it is stable ....yet you say...its the worst thing? Perhaps you should considering replacing the engine in your car too...while you are at it...the transmission too...
 
My Mac has no problems with 10.11.6, it is stable ....yet you say...its the worst thing? Perhaps you should considering replacing the engine in your car too...while you are at it...the transmission too...

Audi Press Release: "Our cars digital engine system have a critical firmware bug which may sometimes cause them to speed uncontrollably with no ability to brake until you smash into a wall. And hackers are able to exploit this remotely to kill you. We have released a critical firmware update today. Please upgrade and save lives!"

Phil in ocala: "Hasn't happened to me, my car seems stable to me... Let's not fix what isn't broken. I'll stay on the old firmware. Thanks."

:p
 
Okay, then simply pray that the badguys don't know about these exploits. ;)
[doublepost=1501275221][/doublepost]
10.12 has matured by now. It's pretty perfect.

Except that the way Apple runs things, upgrading the OS forces you to upgrade a ton of stuff you may not want to; iTunes for example.

If you're running Parallels 9, you're going to have to pay for an upgrade to switch to 10.12, and another upgrade when you go to 10.13. Though personally i fell for that when I bought Parallels 7 and will not buy into their scam again.

Bottom line is there's many reasons you may not want to upgrade.
 
If Apple would simply stop breaking software compatibility, then I'd update. Until that day comes I have to stay on 10.9.

Without specifics, that's meaningless. What application? Is it Apple's fault, the vendor's fault, or are you just sitting on an old version of something?
 
Without specifics, that's meaningless. What application? Is it Apple's fault, the vendor's fault, or are you just sitting on an old version of something?
A combination of all 3.
Right now my main mac is a 4,1 Mac Pro which cannot run anything beyond 10.11.6. I run the video production suite of CS6 and some obscure scanner software that hasn't been updated in forever but works wonderfully. I've tried expirementing with 10.11 and none of the software I use to run various scanners or printers plays nice. They crash or I get all kinds of errors.
I don't see the point in paying Adobe to lease software that was perfectly usable a day before an update.
 
A combination of all 3.
Right now my main mac is a 4,1 Mac Pro which cannot run anything beyond 10.11.6. I run the video production suite of CS6 and some obscure scanner software that hasn't been updated in forever but works wonderfully. I've tried expirementing with 10.11 and none of the software I use to run various scanners or printers plays nice. They crash or I get all kinds of errors.
I don't see the point in paying Adobe to lease software that was perfectly usable a day before an update.

You can flash the 4.1 Mac Pro with 5.1 firmware and it will install Sierra as if it was a 5.1.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.