„Apple“ išleido naują „Safari“ versiją skirtą „El Capitan“ ir „Yosemite“

• Adds support for Safari Extensions from the Mac App Store
• Displays HTML 5 video whenever available for faster downloads, better battery life, and stronger security
• Enhances security by running plug-ins only on websites you authorize
• Improves AutoFill and adds support for auto-filling information from any contact in Contacts
• Enhances the formatting in Reader view
• Remembers Zoom level for each website users visit

Safari Reader

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting

Description: Multiple validation issues were addressed through improved input sanitization.

CVE–2016–4618: an anonymous researcher

Safari Tabs

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A state management issue existed in the handling of tab sessions. This issue was addressed through session state management.

CVE–2016–4751: Daniel Chatfield of Monzo Bank

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation.

CVE–2016–4728: Daniel Divricean

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.

CVE–2016–4758: Masato Kinugawa of Cure53

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE–2016–4611: Apple

CVE–2016–4729: Apple

CVE–2016–4730: Apple

CVE–2016–4731: Apple

CVE–2016–4734: Natalie Silvanovich of Google Project Zero

CVE–2016–4735: André Bargull

CVE–2016–4737: Apple

CVE–2016–4759: Tongbo Luo of Palo Alto Networks

CVE–2016–4762: Zheng Huang of Baidu Security Lab

CVE–2016–4766: Apple

CVE–2016–4767: Apple

CVE–2016–4768: Anonymous working with Trend Micro’s Zero Day Initiative

CVE–2016–4769: Tongbo Luo of Palo Alto Networks

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: A malicious website may be able to access non-HTTP services

Description: Safari’s support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.

CVE–2016–4760: Jordan Milne

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved state management.

CVE–2016–4733: Natalie Silvanovich of Google Project Zero

CVE–2016–4765: Apple

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS

Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation.

CVE–2016–4763: an anonymous researcher