I saw the new Sierra 10.12.6 and let it sit for a few days.
Now I just read through the changes:
https://support.apple.com/en-us/HT207921
Safari 10.1.2 (for macOS 10.12.6)
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7040: Ivan Fratric of Google Project Zero
CVE-2017-7041: Ivan Fratric of Google Project Zero
CVE-2017-7042: Ivan Fratric of Google Project Zero
CVE-2017-7043: Ivan Fratric of Google Project Zero
CVE-2017-7046: Ivan Fratric of Google Project Zero
CVE-2017-7048: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Micro's Zero Day Initiative
CVE-2017-7055: The UK's National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
CVE-2017-7061: lokihardt of Google Project Zero
Guys... that's like 15 different memory exploits which allow malicious websites to run code on your system. Even if they just run with non-root privileges they could still install trojans, encrypting ransomware of all your personal files, spyware, etc.
But it gets worse! 10.12.6 itself has tons of fixes:
https://support.apple.com/en-us/HT207922
They've fixed tons of issues where viewing photos and videos can execute arbitrary code.
Including:
AppleGraphicsPowerManagement
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team
So a malicious app can run root code. And there's tons more of those that were fixed, allowing apps to run with system/kernel privileges. This is bad. Update immediately!
It's good that Apple is fixing all of this. This is a really critical OS update!
Now I just read through the changes:
https://support.apple.com/en-us/HT207921
Safari 10.1.2 (for macOS 10.12.6)
WebKit
Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2017-7018: lokihardt of Google Project Zero
CVE-2017-7020: likemeng of Baidu Security Lab
CVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)
CVE-2017-7037: lokihardt of Google Project Zero
CVE-2017-7039: Ivan Fratric of Google Project Zero
CVE-2017-7040: Ivan Fratric of Google Project Zero
CVE-2017-7041: Ivan Fratric of Google Project Zero
CVE-2017-7042: Ivan Fratric of Google Project Zero
CVE-2017-7043: Ivan Fratric of Google Project Zero
CVE-2017-7046: Ivan Fratric of Google Project Zero
CVE-2017-7048: Ivan Fratric of Google Project Zero
CVE-2017-7052: cc working with Trend Micro's Zero Day Initiative
CVE-2017-7055: The UK's National Cyber Security Centre (NCSC)
CVE-2017-7056: lokihardt of Google Project Zero
CVE-2017-7061: lokihardt of Google Project Zero
Guys... that's like 15 different memory exploits which allow malicious websites to run code on your system. Even if they just run with non-root privileges they could still install trojans, encrypting ransomware of all your personal files, spyware, etc.
But it gets worse! 10.12.6 itself has tons of fixes:
https://support.apple.com/en-us/HT207922
They've fixed tons of issues where viewing photos and videos can execute arbitrary code.
Including:
AppleGraphicsPowerManagement
Available for: macOS Sierra 10.12.5, OS X El Capitan 10.11.6, and OS X Yosemite 10.10.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7021: sss and Axis of Qihoo 360 Nirvan Team
So a malicious app can run root code. And there's tons more of those that were fixed, allowing apps to run with system/kernel privileges. This is bad. Update immediately!
It's good that Apple is fixing all of this. This is a really critical OS update!