Security fixes in macOS Sierra, Safari 10, and macOS Server 5.2

Released at the same time as macOS Sierra, Safari 10 is available for OS X Yosemite 10.10.5 and El Capitan 10.11.6.

It fixes nine security issues in Safari, including a universal cross-site scripting vulnerability, address bar spoofing, sensitive data leakage, and DNS rebinding to allow cross-protocol exploitation of non-HTTP services. This update is available through the App Store.

macOS Server 5.2 – as it has now been rebranded – is an update intended for improved compatibility with macOS Sierra. It also contains two security fixes, which removes RC4 as a supported cipher in ServerDocs Server, and fix handling of the HTTP_PROXY environment variable in apache. This update is available from the App Store.

macOS Sierra version 10.12 addresses a very long list of vulnerabilities and other issues in OS X 10.11.6, including

  • PHP in apache is updated to 5.6.24
  • a user with screen sharing access could view another user’s screen
  • curl is updated to 7.49.1
  • six different kernel bugs
  • a validation issue in signed disk images.

As these are all vulnerabilities identified in El Capitan 10.11.6, Apple is expected to release security update 2016-002 for El Capitan in the near future.