CVE-2016-1764

Name of the Vulnerable Software and Affected Versions OS X versions prior to 10.11.4

Description The issue is related to the Content Security Policy (CSP) implementation in the Messages component of Apple OS X. It allows remote attackers to obtain sensitive information via a javascript: URL. The vulnerability is associated with a lack of protection for sensitive data, which can be exploited by a remote attacker to gain confidential information by navigating to a JavaScript link.

Recommendations For OS X versions prior to 10.11.4, update to version 10.11.4 or later to resolve the issue. As a temporary workaround, consider restricting access to javascript: URLs in the Messages component to minimize the risk of exploitation.