Apple releases vital safety updates for macOS Monterey and Huge Sur

Apple Neural Engine

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly execute arbitrary code with kernel privileges
• Description: The problem was addressed with improved reminiscence dealing with.
• CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleMobileFileIntegrity

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: A person could achieve entry to protected elements of the file system
• Description: The problem was addressed with improved checks.
• CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An archive could possibly bypass Gatekeeper
• Description: The problem was addressed with improved checks.
• CVE-2023-27951: Brandon Dalton of Pink Canary and Csaba Fitzl (@theevilbit) of Offensive Safety

Calendar

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: Importing a maliciously crafted calendar invitation could exfiltrate person info
• Description: A number of validation points had been addressed with improved enter sanitization.
• CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

ColorSync

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly learn arbitrary information
• Description: The problem was addressed with improved checks.
• CVE-2023-27955: JeongOhKyea

CommCenter

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly trigger sudden system termination or write kernel reminiscence
• Description: An out-of-bounds write challenge was addressed with improved enter validation.
• CVE-2023-27936: Tingting Yin of Tsinghua College

dcerpc

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: A distant person could possibly trigger sudden app termination or arbitrary code execution
• Description: The problem was addressed with improved bounds checks.
• CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: A distant person could possibly trigger sudden system termination or corrupt kernel reminiscence
• Description: The problem was addressed with improved reminiscence dealing with.
• CVE-2023-27953: Aleksandar Nikolic of Cisco Talos
• CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Basis

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: Parsing a maliciously crafted plist could result in an sudden app termination or arbitrary code execution
• Description: An integer overflow was addressed with improved enter validation.
• CVE-2023-27937: an nameless researcher

ImageIO

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: Processing a maliciously crafted file could result in sudden app termination or arbitrary code execution
• Description: An out-of-bounds learn was addressed with improved bounds checking.
• CVE-2023-27946: Mickey Jin (@patch1t)

Kernel

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly execute arbitrary code with kernel privileges
• Description: A use after free challenge was addressed with improved reminiscence administration.
• CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Undertaking Zero

Kernel

• Out there for: macOS Monterey
• Affect: An app with root privileges could possibly execute arbitrary code with kernel privileges
• Description: The problem was addressed with improved reminiscence dealing with.
• CVE-2023-27933: sqrtpwn

Kernel

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly disclose kernel reminiscence
• Description: A validation challenge was addressed with improved enter sanitization.
• CVE-2023-28200: Arsenii Kostromin (0x3c3e)

Mannequin I/O

• Out there for: macOS Monterey
• Affect: Processing a maliciously crafted file could result in sudden app termination or arbitrary code execution
• Description: An out-of-bounds learn was addressed with improved enter validation.
• CVE-2023-27949: Mickey Jin (@patch1t)

NetworkExtension

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: A person in a privileged community place could possibly spoof a VPN server that’s configured with EAP-only authentication on a tool
• Description: The problem was addressed with improved authentication.
• CVE-2023-28182: Zhuowei Zhang

PackageKit

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly modify protected elements of the file system
• Description: A logic challenge was addressed with improved checks.
• CVE-2023-23538: Mickey Jin (@patch1t)
• CVE-2023-27962: Mickey Jin (@patch1t)

Podcasts

• Out there for: macOS Monterey
• Affect: An app could possibly entry user-sensitive information
• Description: The problem was addressed with improved checks.
• CVE-2023-27942: Mickey Jin (@patch1t)

Sandbox

• Out there for: macOS Monterey
• Affect: An app could possibly modify protected elements of the file system
• Description: A logic challenge was addressed with improved checks.
• CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Safety, Inc., and Csaba Fitzl (@theevilbit) of Offensive Safety

Sandbox

• Out there for: macOS Monterey
• Affect: An app could possibly bypass Privateness preferences
• Description: A logic challenge was addressed with improved validation.
• CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

Shortcuts

• Out there for: macOS Monterey
• Affect: A shortcut could possibly use delicate information with sure actions with out prompting the person
• Description: The problem was addressed with further permissions checks.
• CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Corporations and Wenchao Li and Xiaolong Bai of Alibaba Group

System Settings

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly entry user-sensitive information
• Description: A privateness challenge was addressed with improved non-public information redaction for log entries.
• CVE-2023-23542: an nameless researcher

System Settings

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly learn delicate location info
• Description: A permissions challenge was addressed with improved validation.
• CVE-2023-28192: Guilherme Rambo of Finest Buddy Apps (rambo.codes)

Vim

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: A number of points in Vim
• Description: A number of points had been addressed by updating to Vim model 9.0.1191.
• CVE-2023-0433
• CVE-2023-0512

XPC

• Out there for: macOS Monterey/macOS Huge Sur
• Affect: An app could possibly escape of its sandbox
• Description: This challenge was addressed with a brand new entitlement.
• CVE-2023-27944: Mickey Jin (@patch1t)

AppleAVD

• Out there for: macOS Huge Sur
• Affect: An utility could possibly execute arbitrary code with kernel privileges
• Description: A use after free challenge was addressed with improved reminiscence administration.
• CVE-2022-26702: an nameless researcher, Antonio Zekic (@antoniozekic), and John Aakerblom (@jaakerblom)

Carbon Core

• Out there for: macOS Huge Sur
• Affect: Processing a maliciously crafted picture could end in disclosure of course of reminiscence
• Description: The problem was addressed with improved checks.
• CVE-2023-23534: Mickey Jin (@patch1t)

Discover My

• Out there for: macOS Huge Sur
• Affect: An app could possibly learn delicate location info
• Description: A privateness challenge was addressed with improved non-public information redaction for log entries.
• CVE-2023-23537: an nameless researcher

Identification Companies

• Out there for: macOS Huge Sur
• Affect: An app could possibly entry details about a person’s contacts
• Description: A privateness challenge was addressed with improved non-public information redaction for log entries.
• CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Safety

ImageIO

• Out there for: macOS Huge Sur
• Affect: Processing a maliciously crafted picture could end in disclosure of course of reminiscence
• Description: The problem was addressed with improved reminiscence dealing with.
• CVE-2023-23535: ryuzaki