Pgp Software Mac Os X

  1. Pgp Software For Windows
  2. Mac Pgp Encryption
  3. Pgp Software For Mac

When I decided to set up my Mac with PGP encrypted communications, I could not believe how hard it was -- not just to set up the software, but to understand how to use PGP properly. There was no 'PGP for Dummies' tutorial for OS X on the internet. So I decided to write one. This is my über simple, nerd-free tutorial for anyone on Mac. In it, I will:

  1. Cover exactly how to install and configure PGP on OS X
  2. Demonstrate how to use PGP in real life

PGP Desktop 9.9 supports PGP Whole Disk Encryption of the boot drive on Intel based Mac OS X 10.4 and 10.5 systems. The software can be managed by PGP Universal, supporting standard WDE WDRT functionality, logging and reporting, and identification of Mac OS X platforms within PGP Universal, permitting the admin to identify whether a device is a. Released in August 2008, PGP Desktop 9.9 for Macintosh was the first version of this product to offer whole disk encryption on Macintosh boot drives. While the software runs on both the Intel and the older PPC architecture under Mac OS X 10.4.x and 10.5.x, the.

Why this tutorial is the best (ever)

  1. It works with every app. Unlike other tutorials for PGP, this tutorial does not care what program you use. If you install or uninstall apps, PGP will keep working. If you want to encrypt email, you can use any email program -- Mail.app, Thunderbird, Sparrow, Gmail, Airmail. Or, you can encrypt something besides email, you can do that too. You can write an encrypted letter in Word. You can encrypt a formula in Excel. You can encrypt a URL in Safari. You can encrypt a text with Messages. You can encrypt a bash command in Terminal. It does not matter.
  2. It is Mac friendly. There is a certain way of doing things on a Mac. If you're not a Mac fan, you won't understand. (That's okay.) Many of the tutorials I found for OS X are not Mac friendly. Many want you to install bloated, Windows-like software; or, install questionable add-ons. I've done the opposite. This PGP tutorial is super Mac friendly. It's PGP, installed the way Steve Jobs would have done it.
  3. Simple. Above all, this PGP setup is simple. Once you understand how it works, there is nothing you cannot do.

I looked into dozens of ways to set up PGP on my Mac. A lot of them suck for a plurality of reasons. Across the board, this is the best way for 95% of use cases.

Step 1: Install the GPGTools GPG Suite for OS X

This step is simple. Visit the GPGTools website and download the GPG Suite for OS X. Once downloaded, mount the DMG and run the 'Install'.

Inside the installer, you can stick with all default parameters save one exception. On the 'Installation Type' screen, press 'Customize'..

And uncheck the GPGMail package:

Then press 'Install.'

Step 2: Creating your very own PGP key

When the installer completes, a new app called 'GPG Keychain Access' will launch. A small window will pop up immediately and say: 'GPG Keychain Access would like to access your contacts.' Press 'OK.'

As soon as you press 'OK,' a second window will pop up that says 'Generate a new key pair.' Type in your name and your email address. Also, check the box that says 'Upload public key after generation.' Your window should look like this:

Expand the 'Advanced options' section. Incrase the key length to 4096 for extra NSA-proof'edness. Reduce the 'Expiration date' to 1 year from today. Your window should look like this:

Press 'Generate key.'

As soon as you press 'Generate key,' the 'Enter passphrase' window will pop up. Okay, now this is important..

A brief word about your passphrase

The entire PGP encryption will rest on your passphrase. So, first and foremost.. don't use a passphrase that other people know! Pick something only you will know, and others can't guess. And once you have a passphrase selected, don't give it to other people.

Second, do not use a password, but rather a passphrase -- a sentence. For example, 'Pennstate55' is less preferable than 'I graduated from Penn State in 1955, ya heard?!' The longer your passphrase, the more secure your key.

Lastly, make sure your passphrase is something you can remember. Since it is long, there is a tendancy you might forget it. Don't. The consequences to that will be dire. Make sure you can remember your passphrase.

Back to Step 2..

Once you decide on your passphrase, type it in the 'Enter passphrase' window. Turn on the 'Show typing' option, so you can be 100% sure that you've typed in your passphrase without any spelling errors. When everything looks good, press 'OK:'

Will be asked to reenter the passphrase. Do it, and press 'OK:'

You will then see a message saying, 'We need to generate a lot of random bytes..' Wait for it to complete:

Et voilà! Your PGP key is ready to use:

Step 3: Set PGP keyboard shortcuts

Next, you will set up four global keyboard shortcuts in OS X.

Open System Preferences, select the 'Keyboard' pane, and go to the 'Shortucts' tab. On the left hand side, select 'Services.' Then, on the right, scroll down to the subsection 'Text' and look for a bunch of entries that start with 'OpenPGP:'

Go through each OpenPGP entry, unchecking each one and deleting the keyboard shortcut:

Next, you will enable and set four shortcuts:

  • Enable 'OpenPGP: Decrypt' and set its shortcut to ⌃⌥⌘- (i.e., control option command minus)
  • Enable 'OpenPGP: Encrypt' and set its shortcut to ⌃⌥⌘= (i.e., control option command equals)
  • Enable 'OpenPGP: Sign' and set its shortcut to ⌃⌥⌘[ (i.e., control option command open bracket)
  • Enable 'OpenPGP: Verify' and set its shortcut to ⌃⌥⌘] (i.e., control option command close bracket)

Your keyboard shortcuts should now look like this:

That's it! You're done setting up PGP with OpenGPG on OS X! Now, we will discuss how to use what we set up.

Step 4: How to send a secure email

You can encrypt anything with PGP, but most people will want to encrypt email. So, I will now take a few minutes to explain that. These steps can be transposed for any kind of encryption, from any app on your computer.

To secure an email in PGP, you will sign and encrypt the body of the message. You can just sign or just encrypt, but combining both operations will result in optimum security. Conversely, when you receive a PGP-secured email, you will decrypt and verify it. This is the 'opposite' of signing and encrypting.

Start off by writing your email:

Then, select the entire body of the email and press ⌃⌥⌘[ to sign it:

Next, open the GPG Keychain Access app. Press Command-F and type in the email address of the person you are sending your message to. This will search the public keyserver for your friend's PGP key:

If your friend has more than one key, select his most recent one:

You will receive a confirmation that your friend's key was successfully downloaded. You can press 'Close:'

You will now see your friend's public key in your keychain:

You can now quit GPG Keychain Access and return to writing the email.

Select the entire body of the email (everything, not just the part you wrote) and press ⌃⌥⌘= to encrypt it. A window will pop up, asking you who the recipient is. Select the friend's public key you just downloaded, and press 'OK:'

Your entire message is now encrypted! You can press 'Send' safely.

N.B. You will only need to download your friend's public key once. After that, it will always be available in your keychain until the key expires.

Step 4: How to receive a secure email

With our secure message sent, the recipient will now want to unscramble it. For the sake of this step, I will pretend I am the recipient.

I have recieved the message:

Copy the entire body, from, and including, '-----BEGIN PGP MESSAGE---', to, and including, '-----END PGP MESSAGE---'. Open your favorite text editor, and paste it:

Now select the entire text, and press ⌃⌥⌘- to decrypt the message. You will immediately be prompted for your PGP passphrase. Type it in and press 'OK:'

You will now see the decrypted message!

Next, you can verify the signature. Highlight the entire text, and press ⌃⌥⌘]. You will see a message confirming the verification:

You can press 'OK.'

What does encrypt, decrypt, sign, and verify mean?

Now that you know how to sign and encrypt outgoing messages, and decrypt and verify incoming ones, let us discuss what these terms mean.

Encrypt takes your secret key and the recipient's public key, and scrambles a message. The scrambled text is secure from prying eyes. The sender always encrypts.

Decrypt takes an encrypted message, combined with the your secret key and the sender's public key, and descrambles it. The recipient always decrypts.

Encrypt and decrypt can be thought of as opposites.

Signing a message lets the recipient know that you (the person with your email address and public key) acutally authored the message. Signing also provides additional cryptographic integrity: it ensures that no one has tampered with the encryption. The sender always signs a message.

Verifying a message is the process of analyzing a signed message, to determine if the signing is true.

Signing and verifying can be thought of as opposites.

When should I sign? When should I encrypt?

It is unnecessary to sign and encrypt every outgoing email. Well, then: when should you sign? And when should you encrypt? And when should you do nothing?

You have three rational choices when you are sending a message:

  1. Do nothing. If the contents of the email are public (non-confidential), and the recipient does not care whether you or an impostor sent the message, then do nothing. You can send the message as you've sent messages your whole life: in plain text.
  2. Sign, but don't encrypt. If the contents of the email are public (non-confidential), but the recipient wants assurance that you -- not an impostor -- actually sent the message, then you should sign but not encrypt. Simply follow the tutorial above, skipping over the encryption and decryption steps.
  3. Sign and encrypt. If the contents of the email are confidential, sign and encrypt. It does not matter whether the recipient wants assurance that you sent the message -- always sign when you encrpt.

I do nothing for 90% of emails I send; security is just not necessary. The remaining 10% of the time, I sign and encrypt. Whenever there is confidential information -- business plans, credit card numbers, bank numbers, social security numbers, corporate strategies, etc. -- I sign and encrypt. I define confidential information loosely, because I'd rather sign and encrypt unnecessarily than do nothing and leak sensitive information. As for the third option, I rarely sign, but do not encrypt. Your profession may warrant radically different usage of PGP.

Why don't you use PGP MIME attachments? Why don't you use the Mail.app PGP plugin?

Some PGP nerds prefer sending PGP with attachments (a.k.a., PGP MIME type), instead of using plain text (a.k.a., PGP INLINE).

Conversely, some PGP n00bs want to know why I don't recommend using a PGP plugin for their email client (i.e., the Mail.app PGP plugin).

Here's why:

  1. Attachments are a pain in the ass.
  2. People who use mail plugins for encryption have no idea how they work; the result is a false sense of security.
  3. Inline text works places where attachments don't (the shell, Facebook, iMessage, etc.).
  4. The majority of people who have sent me MIME test emails using the Mail.app plugins sent undecryptable messages, because they have no idea what they're doing or how it works.
  5. When a plugin generates an attachment and sends it before you can see what is going on, you have no idea what is happening or if it is working.
  6. Lots of applications and email clients do not have PGP built in, so you need inline anyway.

Try it out! Email me.

My email address is jerzygangi@gmail.com. Try sending me an encrypted, signed email. I'll reply.

If my tutorial was helpful, please send me a small donation through PayPal!

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

OS X El Capitan v10.11

  • Address Book

    Available for: Mac OS X v10.6.8 and later

    Impact: A local attacker may be able to inject arbitrary code to processes loading the Address Book framework

    Description: An issue existed in Address Book framework's handling of an environment variable. This issue was addressed through improved environment variable handling.

    CVE-ID

    CVE-2015-5897 : Dan Bastone of Gotham Digital Science

  • AirScan

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker with a privileged network position may be able to extract payload from eSCL packets sent over a secure connection

    Description: An issue existed in the processing of eSCL packets. This issue was addressed through improved validation checks.

    CVE-ID

    CVE-2015-5853 : an anonymous researcher

Pgp Software For Windows

  • apache_mod_php

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in PHP

    Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.27, including one which may have led to remote code execution. This issue was addressed by updating PHP to version 5.5.27.

    CVE-ID

    CVE-2014-9425

    CVE-2014-9427

    CVE-2014-9652

    CVE-2014-9705

    CVE-2014-9709

    CVE-2015-0231

    CVE-2015-0232

    CVE-2015-0235

    CVE-2015-0273

    CVE-2015-1351

    CVE-2015-1352

    CVE-2015-2301

    CVE-2015-2305

    CVE-2015-2331

    CVE-2015-2348

    CVE-2015-2783

    CVE-2015-2787

    CVE-2015-3329

    CVE-2015-3330

  • Apple Online Store Kit

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious application may gain access to a user's keychain items

    Description: An issue existed in validation of access control lists for iCloud keychain items. This issue was addressed through improved access control list checks.

    CVE-ID

    CVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of Indiana University, Tongxin Li of Peking University, Tongxin Li of Peking University, Xiaolong Bai of Tsinghua University

  • AppleEvents

    Available for: Mac OS X v10.6.8 and later

    Impact: A user connected through screen sharing can send Apple Events to a local user's session

    Description: An issue existed with Apple Event filtering that allowed some users to send events to other users. This was addressed by improved Apple Event handling.

    CVE-ID

    CVE-2015-5849 : Jack Lawrence (@_jackhl)

  • Audio

    Available for: Mac OS X v10.6.8 and later

    Impact: Playing a malicious audio file may lead to an unexpected application termination

    Description: A memory corruption issue existed in the handling of audio files. This issue issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.: Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea

  • bash

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in bash

    Description: Multiple vulnerabilities existed in bash versions prior to 3.2 patch level 57. These issues were addressed by updating bash version 3.2 to patch level 57.

    CVE-ID

    CVE-2014-6277

    CVE-2014-7186

    CVE-2014-7187

  • Certificate Trust Policy

    Available for: Mac OS X v10.6.8 and later

    Impact: Update to the certificate trust policy

    Description: The certificate trust policy was updated. The complete list of certificates may be viewed at https://support.apple.com/kb/HT202858.

  • CFNetwork Cookies

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker in a privileged network position can track a user's activity

    Description: A cross-domain cookie issue existed in the handling of top level domains. The issue was address through improved restrictions of cookie creation.

    CVE-ID

    CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University

  • CFNetwork FTPProtocol

    Available for: Mac OS X v10.6.8 and later

    Impact: Malicious FTP servers may be able to cause the client to perform reconnaissance on other hosts

    Description: An issue existed in the handling of FTP packets when using the PASV command. This issue was resolved through improved validation.

    CVE-ID

    CVE-2015-5912 : Amit Klein

  • CFNetwork HTTPProtocol

    Available for: Mac OS X v10.6.8 and later

    Impact: A maliciously crafted URL may be able to bypass HSTS and leak sensitive data

    Description: A URL parsing vulnerability existed in HSTS handling. This issue was addressed through improved URL parsing.

    CVE-ID

    CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University

  • CFNetwork HTTPProtocol

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker with a privileged network position may be able to intercept network traffic

    Description: An issue existed in the handling of HSTS preload list entries in Safari private browsing mode. This issue was addressed through improved state handling.

    CVE-ID

    CVE-2015-5859 : Rosario Giustolisi of University of Luxembourg

  • CFNetwork HTTPProtocol

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious website may be able to track users in Safari private browsing mode

    Description: An issue existed in the handling of HSTS state in Safari private browsing mode. This issue was addressed through improved state handling.

    CVE-ID

    CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd

  • CFNetwork Proxies

    Available for: Mac OS X v10.6.8 and later

    Impact: Connecting to a malicious web proxy may set malicious cookies for a website

    Description: An issue existed in the handling of proxy connect responses. This issue was addressed by removing the set-cookie header while parsing the connect response.

    CVE-ID

    CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University

  • CFNetwork SSL

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker with a privileged network position may intercept SSL/TLS connections

    Description: A certificate validation issue existed in NSURL when a certificate changed. This issue was addressed through improved certificate validation.

    CVE-ID

    CVE-2015-5824 : Timothy J. Wood of The Omni Group

  • CFNetwork SSL

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker may be able to decrypt data protected by SSL

    Description: There are known attacks on the confidentiality of RC4. An attacker could force the use of RC4, even if the server preferred better ciphers, by blocking TLS 1.0 and higher connections until CFNetwork tried SSL 3.0, which only allows RC4. This issue was addressed by removing the fallback to SSL 3.0.

  • CoreCrypto

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker may be able to determine a private key

    Description: By observing many signing or decryption attempts, an attacker may have been able to determine the RSA private key. This issue was addressed using improved encryption algorithms.

Pgp software for windows
  • CoreText

    Available for: Mac OS X v10.6.8 and later

    Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team

  • Dev Tools

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A memory corruption issue existed in dyld. This was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5876 : beist of grayhash

  • Dev Tools

    Available for: Mac OS X v10.6.8 and later

    Impact: An application may be able to bypass code signing

    Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2015-5839 : @PanguTeam

  • Disk Images

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A memory corruption issue existed in DiskImages. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5847 : Filippo Bigarella, Luca Todesco

  • dyld

    Available for: Mac OS X v10.6.8 and later

    Impact: An application may be able to bypass code signing

    Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2015-5839 : TaiG Jailbreak Team

  • EFI

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious application can prevent some systems from booting

    Description: An issue existed with the addresses covered by the protected range register. This issue was fixed by changing the protected range.

    CVE-ID

    CVE-2015-5900 : Xeno Kovah & Corey Kallenberg from LegbaCore

  • EFI

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious Apple Ethernet Thunderbolt adapter may be able to affect firmware flashing

    Description: Apple Ethernet Thunderbolt adapters could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.

    CVE-ID

    CVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare

  • Finder

    Available for: Mac OS X v10.6.8 and later

    Impact: The 'Secure Empty Trash' feature may not securely delete files placed in the Trash

    Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the 'Secure Empty Trash' option.

    CVE-ID

    CVE-2015-5901 : Apple

  • Game Center

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious Game Center application may be able to access a player's email address

    Description: An issue existed in Game Center in the handling of a player's email. This issue was addressed through improved access restrictions.

    CVE-ID

    CVE-2015-5855 : Nasser Alnasser

  • Heimdal

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker may be able to replay Kerberos credentials to the SMB server

    Description: An authentication issue existed in Kerberos credentials. This issue was addressed through additional validation of credentials using a list of recently seen credentials.

    CVE-ID

    CVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu Fan of Microsoft Corporation, China

  • ICU

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in ICU

    Description: Multiple vulnerabilities existed in ICU versions prior to 53.1.0. These issues were addressed by updating ICU to version 55.1.

    CVE-ID

    CVE-2014-8146 : Marc Deslauriers

    CVE-2014-8147 : Marc Deslauriers

    CVE-2015-5922 : Mark Brand of Google Project Zero

  • Install Framework Legacy

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to gain root privileges

    Description: A restriction issue existed in the Install private framework containing a privileged executable. This issue was addressed by removing the executable.

    CVE-ID

    CVE-2015-5888 : Apple

  • Intel Graphics Driver

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: Multiple memory corruption issues existed in the Intel Graphics Driver. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-5830 : Yuki MIZUNO (@mzyy94)

    CVE-2015-5877 : Camillus Gerard Cai

  • IOAudioFamily

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to determine kernel memory layout

    Description: An issue existed in IOAudioFamily that led to the disclosure of kernel memory content. This issue was addressed by permuting kernel pointers.

    CVE-ID

    CVE-2015-5864 : Luca Todesco

  • IOGraphics

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-5871 : Ilja van Sprundel of IOActive

    CVE-2015-5872 : Ilja van Sprundel of IOActive

    CVE-2015-5873 : Ilja van Sprundel of IOActive

    CVE-2015-5890 : Ilja van Sprundel of IOActive

  • IOGraphics

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious application may be able to determine kernel memory layout

    Description: An issue existed in IOGraphics which could have led to the disclosure of kernel memory layout. This issue was addressed through improved memory management.

    CVE-ID

    CVE-2015-5865 : Luca Todesco

  • IOHIDFamily

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-5866 : Apple

    CVE-2015-5867 : moony li of Trend Micro

  • IOStorageFamily

    Available for: Mac OS X v10.6.8 and later

    Impact: A local attacker may be able to read kernel memory

    Description: A memory initialization issue existed in the kernel. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5863 : Ilja van Sprundel of IOActive

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues existed in the Kernel. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team

    CVE-2015-5896 : Maxime Villard of m00nbsd

    CVE-2015-5903 : CESG

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: A local process can modify other processes without entitlement checks

    Description: An issue existed where root processes using the processor_set_tasks API were allowed to retrieve the task ports of other processes. This issue was addressed through additional entitlement checks.

    CVE-ID

    CVE-2015-5882 : Pedro Vilaça, working from original research by Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: A local attacker may control the value of stack cookies

    Description: Multiple weaknesses existed in the generation of user space stack cookies. These issues were addressed through improved generation of stack cookies.

    CVE-ID

    CVE-2013-3951 : Stefan Esser

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker may be able to launch denial of service attacks on targeted TCP connections without knowing the correct sequence number

    Description: An issue existed in xnu's validation of TCP packet headers. This issue was addressed through improved TCP packet header validation.

    CVE-ID

    CVE-2015-5879 : Jonathan Looney

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker in a local LAN segment may disable IPv6 routing

    Description: An insufficient validation issue existed in the handling of IPv6 router advertisements that allowed an attacker to set the hop limit to an arbitrary value. This issue was addressed by enforcing a minimum hop limit.

    CVE-ID

    CVE-2015-5869 : Dennis Spindel Ljungmark

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to determine kernel memory layout

    Description: An issue existed that led to the disclosure of kernel memory layout. This was addressed through improved initialization of kernel memory structures.

    CVE-ID

    CVE-2015-5842 : beist of grayhash

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to determine kernel memory layout

    Description: An issue existed in debugging interfaces that led to the disclosure of memory content. This issue was addressed by sanitizing output from debugging interfaces.

    CVE-ID

    CVE-2015-5870 : Apple

  • Kernel

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to cause a system denial of service

    Description: A state management issue existed in debugging functionality. This issue was addressed through improved validation.

    CVE-ID

    CVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team

  • libc

    Available for: Mac OS X v10.6.8 and later

    Impact: A remote attacker may be able to cause arbitrary code execution

    Description: A memory corruption issue existed in the fflush function. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse Corporation

Pgp Software Mac Os X
  • libpthread

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team

  • libxpc

    Available for: Mac OS X v10.6.8 and later

    Impact: Many SSH connections could cause a denial of service

    Description: launchd had no limit on the number of processes that could be started by a network connection. This issue was addressed by limiting the number of SSH processes to 40.

    CVE-ID

    CVE-2015-5881 : Apple

  • Login Window

    Available for: Mac OS X v10.6.8 and later

    Impact: The screen lock may not engage after the specified time period

    Description: An issue existed with captured display locking. The issue was addressed through improved lock handling.

    CVE-ID

    CVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau informationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni Vaahtera, and Jon Hall of Asynchrony

  • lukemftpd

    Available for: Mac OS X v10.6.8 and later

    Impact: A remote attacker may be able to deny service to the FTP server

    Description: A glob-processing issue existed in tnftpd. This issue was addressed through improved glob validation.

    CVE-ID

    CVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com

  • Mail

    Available for: Mac OS X v10.6.8 and later

    Impact: Printing an email may leak sensitive user information

    Description: An issue existed in Mail which bypassed user preferences when printing an email. This issue was addressed through improved user preference enforcement.

    CVE-ID

    CVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya, Dennis Klein from Eschenburg, Germany, Jeff Hammett of Systim Technology Partners

  • Mail

    Available for: Mac OS X v10.6.8 and later

    Impact: An attacker in a privileged network position may be able to intercept attachments of S/MIME-encrypted e-mail sent via Mail Drop

    Description: An issue existed in handling encryption parameters for large email attachments sent via Mail Drop. The issue is addressed by no longer offering Mail Drop when sending an encrypted e-mail.

    CVE-ID

    CVE-2015-5884 : John McCombs of Integrated Mapping Ltd

  • Multipeer Connectivity

    Available for: Mac OS X v10.6.8 and later

    Impact: A local attacker may be able to observe unprotected multipeer data

    Description: An issue existed in convenience initializer handling in which encryption could be actively downgraded to a non-encrypted session. This issue was addressed by changing the convenience initializer to require encryption.

    CVE-ID

    CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem

Mac Pgp Encryption

  • NetworkExtension

    Available for: Mac OS X v10.6.8 and later

    Impact: A malicious application may be able to determine kernel memory layout

    Description: An uninitialized memory issue in the kernel led to the disclosure of kernel memory content. This issue was addressed through improved memory initialization.

    CVE-ID

    CVE-2015-5831 : Maxime Villard of m00nbsd

  • Notes

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to leak sensitive user information

    Description: An issue existed in parsing links in the Notes application. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher

  • Notes

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to leak sensitive user information

    Description: A cross-site scripting issue existed in parsing text by the Notes application. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2015-5875 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)

  • OpenSSH

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in OpenSSH

    Description: Multiple vulnerabilities existed in OpenSSH versions prior to 6.9. These issues were addressed by updating OpenSSH to version 6.9.

    CVE-ID

    CVE-2014-2532

  • OpenSSL

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in OpenSSL

    Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg.

    CVE-ID

    CVE-2015-0286

    CVE-2015-0287

  • procmail

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in procmail

    Description: Multiple vulnerabilities existed in procmail versions prior to 3.22. These issues were addressed by removing procmail.

    CVE-ID

    CVE-2014-3618

  • remote_cmds

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with root privileges

    Description: An issue existed in the usage of environment variables by the rsh binary. This issue was addressed by dropping setuid privileges from the rsh binary.

    CVE-ID

    CVE-2015-5889 : Philip Pettersson

  • removefile

    Available for: Mac OS X v10.6.8 and later

    Impact: Processing malicious data may lead to unexpected application termination

    Description: An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines.

    CVE-ID

    CVE-2015-5840 : an anonymous researcher

  • Ruby

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in Ruby

    Description: Multiple vulnerabilities existed in Ruby versions prior to 2.0.0p645. These were addressed by updating Ruby to version 2.0.0p645.

    CVE-ID

    CVE-2014-8080

    CVE-2014-8090

    CVE-2015-1855

  • Security

    Available for: Mac OS X v10.6.8 and later

    Impact: The lock state of the keychain may be incorrectly displayed to the user

    Description: A state management issue existed in the way keychain lock status was tracked. This issue was addressed through improved state management.

    CVE-ID

    CVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron, Eric E. Lawrence, Apple

  • Security

    Available for: Mac OS X v10.6.8 and later

    Impact: A trust evaluation configured to require revocation checking may succeed even if revocation checking fails

    Description: The kSecRevocationRequirePositiveResponse flag was specified but not implemented. This issue was addressed by implementing the flag.

    CVE-ID

    CVE-2015-5894 : Hannes Oud of kWallet GmbH

  • Security

    Available for: Mac OS X v10.6.8 and later

    Impact: A remote server may prompt for a certificate before identifying itself

    Description: Secure Transport accepted the CertificateRequest message before the ServerKeyExchange message. This issue was addressed by requiring the ServerKeyExchange first.

    CVE-ID

    CVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of INRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of Microsoft Research, Pierre-Yves Strub of IMDEA Software Institute

  • SMB

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5891 : Ilja van Sprundel of IOActive

  • SMB

    Available for: Mac OS X v10.6.8 and later

    Impact: A local user may be able to determine kernel memory layout

    Description: An issue existed in SMBClient that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2015-5893 : Ilja van Sprundel of IOActive

Pgp Software For Mac

  • SQLite

    Available for: Mac OS X v10.6.8 and later

    Impact: Multiple vulnerabilities in SQLite v3.8.5

    Description: Multiple vulnerabilities existed in SQLite v3.8.5. These issues were addressed by updating SQLite to version 3.8.10.2.

    CVE-ID

    CVE-2015-3414

    CVE-2015-3415

    CVE-2015-3416

  • Telephony

    Available for: Mac OS X v10.6.8 and later

    Impact: A local attacker can place phone calls without the user's knowledge when using Continuity

    Description: An issue existed in the authorization checks for placing phone calls. This issue was addressed through improved authorization checks.

    CVE-ID

    CVE-2015-3785 : Dan Bastone of Gotham Digital Science

  • Terminal

    Available for: Mac OS X v10.6.8 and later

    Impact: Maliciously crafted text could mislead the user in Terminal

    Description: Terminal did not handle bidirectional override characters in the same way when displaying text and when selecting text. This issue was addressed by suppressing bidirectional override characters in Terminal.

    CVE-ID

    CVE-2015-5883 : Lukas Schauer (@lukas2511)

  • tidy

    Available for: Mac OS X v10.6.8 and later

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in tidy. These issues were addressed through improved memory handling.

    Just a few of the program's highlights include self-guided Bible lessons and quizzes, the encyclopedia, a virtual tours of the Holy Land, the, and an overview of all of history. Bible software for mac freeware free. At $89.99 the software is available for both Windows and Mac users. Read Review. This interactive software program from Tyndale House Publishers brings a multimedia experience to Bible study, featuring narrated and musically scored digital animations.

    CVE-ID

    CVE-2015-5522 : Fernando Muñoz of NULLGroup.com

    CVE-2015-5523 : Fernando Muñoz of NULLGroup.com

  • Time Machine

    Available for: Mac OS X v10.6.8 and later

    Impact: A local attacker may gain access to keychain items

    Description: An issue existed in backups by the Time Machine framework. This issue was addressed through improved coverage of Time Machine backups.

    CVE-ID

    CVE-2015-5854 : Jonas Magazinius of Assured AB

Note: OS X El Capitan v10.11 includes the security content of Safari 9.