ISC Stormcast For Friday, March 8th, 2024 https://isc.sans.edu/podcastdetail/8886

MacOS Patches (and Safari, TVOS, VisionOS, WatchOS)

Published: 2024-03-08. Last Updated: 2024-03-08 00:45:00 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

 

After patching iOS and iPadOS a few days ago, Apple patched the rest of its lineup today, most notably macOS. These updates include the two 0-days patched for iOS. Interestingly, we also see three vulnerabilities addressed specifically for VisionOS, Apple's latest operating system. One of the VisionOS vulnerabilities affects Personas, a feature only available in VisionOS.

NOTE: Apple amended its list of vulnerabilities for iOS/iPadOS. Many of the vulnerabilities below also affect iOS. The initial release only noted four different vulnerabilities.

Apple security bulletin URL: https://support.apple.com/en-us/HT201222

Safari 17.4 macOS Sonoma 14.4 macOS Ventura 13.6.5 macOS Monterey 12.7.4 watchOS 10.4 tvOS 17.4 visionOS 1.1
CVE-2024-23273 [moderate] Safari Private Browsing
This issue was addressed through improved state management.
Private Browsing tabs may be accessed without authentication
x x          
CVE-2024-23252 [moderate] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to a denial-of-service
x x          
CVE-2024-23254 [moderate] WebKit
The issue was addressed with improved UI handling.
A malicious website may exfiltrate audio data cross-origin
x x     x x x
CVE-2024-23263 [other] WebKit
A logic issue was addressed with improved validation.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced
x x     x x x
CVE-2024-23280 [moderate] WebKit
An injection issue was addressed with improved validation.
A maliciously crafted webpage may be able to fingerprint the user
x x     x x  
CVE-2024-23284 [other] WebKit
A logic issue was addressed with improved state management.
Processing maliciously crafted web content may prevent Content Security Policy from being enforced
x x     x x x
CVE-2024-23291 [moderate] Accessibility
A privacy issue was addressed with improved private data redaction for log entries.
A malicious app may be able to observe user data in log entries related to accessibility notifications
  x     x x  
CVE-2024-23276 [moderate] Admin Framework
A logic issue was addressed with improved checks.
An app may be able to elevate privileges
  x x x      
CVE-2024-23227 [important] Airport
This issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information
  x x x      
CVE-2024-23233 [moderate] AppleMobileFileIntegrity
This issue was addressed with improved checks.
Entitlements and privacy permissions granted to this app may be used by a malicious app
  x          
CVE-2024-23269 [important] AppleMobileFileIntegrity
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
An app may be able to modify protected parts of the file system
  x x x      
CVE-2024-23288 [moderate] AppleMobileFileIntegrity
This issue was addressed by removing the vulnerable code.
An app may be able to elevate privileges
  x     x x  
CVE-2024-23277 [moderate] Bluetooth
The issue was addressed with improved checks.
An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard
  x          
CVE-2024-23247 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to unexpected app termination or arbitrary code execution
  x x x      
CVE-2024-23248 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x          
CVE-2024-23249 [moderate] ColorSync
The issue was addressed with improved memory handling.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x          
CVE-2024-23250 [moderate] CoreBluetooth - LE
An access issue was addressed with improved access restrictions.
An app may be able to access Bluetooth-connected microphones without user permission
  x     x x  
CVE-2024-23244 [moderate] Dock
A logic issue was addressed with improved restrictions.
An app from a standard user account may be able to escalate privilege after admin user login
  x x x      
CVE-2024-23205 [moderate] ExtensionKit
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access sensitive user data
  x          
CVE-2022-48554 [moderate] file
This issue was addressed with improved checks.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
  x     x x  
CVE-2024-23253 [moderate] Image Capture
A permissions issue was addressed with additional restrictions.
An app may be able to access a user's Photos Library
  x          
CVE-2024-23270 [important] Image Processing
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
  x x x   x  
CVE-2024-23257 [important] ImageIO
The issue was addressed with improved memory handling.
Processing an image may result in disclosure of process memory
  x x x     x
CVE-2024-23258 [critical] ImageIO
An out-of-bounds read was addressed with improved input validation.
Processing an image may lead to arbitrary code execution
  x         x
CVE-2024-23286 [critical] ImageIO
A buffer overflow issue was addressed with improved memory handling.
Processing an image may lead to arbitrary code execution
  x x x x x x
CVE-2024-23234 [important] Intel Graphics Driver
An out-of-bounds write issue was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges
  x x x      
CVE-2024-23266 [important] Kerberos v5 PAM module
The issue was addressed with improved checks.
An app may be able to modify protected parts of the file system
  x x x      
CVE-2024-23235 [important] Kernel
A race condition was addressed with additional validation.
An app may be able to access user-sensitive data
  x     x x x
CVE-2024-23265 [important] Kernel
A memory corruption vulnerability was addressed with improved locking.
An app may be able to cause unexpected system termination or write kernel memory
  x x x x x x
CVE-2024-23225 [moderate] *** EXPLOITED *** Kernel
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
  x x x x x x
CVE-2024-23278 [important] libxpc
The issue was addressed with improved checks.
An app may be able to break out of its sandbox
  x     x x  
CVE-2024-0258 [moderate] libxpc
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
  x     x x  
CVE-2024-23279 [important] MediaRemote
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x          
CVE-2024-23287 [important] Messages
A privacy issue was addressed with improved handling of temporary files.
An app may be able to access user-sensitive data
  x     x    
CVE-2024-23264 [important] Metal
A validation issue was addressed with improved input sanitization.
An application may be able to read restricted memory
  x x x   x x
CVE-2024-23285 [moderate] Music
This issue was addressed with improved handling of symlinks.
An app may be able to create symlinks to protected regions of the disk
  x          
CVE-2024-23283 [important] Notes
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x x x      
CVE-2023-48795 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2023-51384 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2023-51385 [moderate] OpenSSH
Multiple issues were addressed by updating to OpenSSH 9.6.
Multiple issues in OpenSSH
  x          
CVE-2022-42816 [important] PackageKit
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system
  x          
CVE-2024-23216 [moderate] PackageKit
A path handling issue was addressed with improved validation.
An app may be able to overwrite arbitrary files
  x x x      
CVE-2024-23267 [moderate] PackageKit
The issue was addressed with improved checks.
An app may be able to bypass certain Privacy preferences
  x x x      
CVE-2024-23268 [moderate] PackageKit
An injection issue was addressed with improved input validation.
An app may be able to elevate privileges
  x x x      
CVE-2024-23274 [moderate] PackageKit
An injection issue was addressed with improved input validation.
An app may be able to elevate privileges
  x x x      
CVE-2023-42853 [important] PackageKit
A logic issue was addressed with improved checks.
An app may be able to access user-sensitive data
  x          
CVE-2024-23275 [moderate] PackageKit
A race condition was addressed with additional validation.
An app may be able to access protected user data
  x x x      
CVE-2024-23255 [moderate] Photos
An authentication issue was addressed with improved state management.
Photos in the Hidden Photos Album may be viewed without authentication
  x          
CVE-2024-23294 [moderate] QuartzCore
This issue was addressed by removing the vulnerable code.
Processing malicious input may lead to code execution
  x          
CVE-2024-23296 [moderate] *** EXPLOITED *** RTKit
A memory corruption issue was addressed with improved validation.
An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
  x     x x x
CVE-2024-23259 [moderate] Safari
The issue was addressed with improved checks.
Processing web content may lead to a denial-of-service
  x          
CVE-2024-23238 [moderate] Sandbox
An access issue was addressed with improved access restrictions.
An app may be able to edit NVRAM variables
  x          
CVE-2024-23239 [important] Sandbox
A race condition was addressed with improved state handling.
An app may be able to leak sensitive user information
  x     x x  
CVE-2024-23290 [important] Sandbox
A logic issue was addressed with improved restrictions.
An app may be able to access user-sensitive data
  x     x x  
CVE-2024-23232 [moderate] Screen Capture
A privacy issue was addressed with improved handling of temporary files.
An app may be able to capture a user's screen
  x          
CVE-2024-23231 [important] Share Sheet
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access user-sensitive data
  x     x    
CVE-2024-23230 [moderate] SharedFileList
This issue was addressed with improved file handling.
An app may be able to access sensitive user data
  x x x      
CVE-2024-23245 [moderate] Shortcuts
This issue was addressed by adding an additional prompt for user consent.
Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent
  x x x      
CVE-2024-23292 [moderate] Shortcuts
This issue was addressed with improved data protection.
An app may be able to access information about a user's contacts
  x          
CVE-2024-23289 [moderate] Siri
A lock screen issue was addressed with improved state management.
A person with physical access to a device may be able to use Siri to access private calendar information
  x     x    
CVE-2024-23293 [moderate] Siri
This issue was addressed through improved state management.
An attacker with physical access may be able to use Siri to access sensitive user data
  x     x x  
CVE-2024-23241 [important] Spotlight
This issue was addressed through improved state management.
An app may be able to leak sensitive user information
  x       x  
CVE-2024-23272 [moderate] Storage Services
A logic issue was addressed with improved checks.
A user may gain access to protected parts of the file system
  x x x      
CVE-2024-23242 [moderate] Synapse
A privacy issue was addressed by not logging contents of text fields.
An app may be able to view Mail data
  x          
CVE-2024-23281 [moderate] System Settings
This issue was addressed with improved state management.
An app may be able to access sensitive user data
  x          
CVE-2024-23260 [important] TV App
This issue was addressed by removing additional entitlements.
An app may be able to access user-sensitive data
  x          
CVE-2024-23246 [important] UIKit
This issue was addressed by removing the vulnerable code.
An app may be able to break out of its sandbox
  x     x x x
CVE-2024-23226 [critical] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
  x     x x x
CVE-2024-23218 [moderate] CoreCrypto
A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions.
An attacker may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key
    x x      
CVE-2024-23201 [important] libxpc
A permissions issue was addressed with additional restrictions.
An app may be able to cause a denial-of-service
    x x      
CVE-2023-28826 [moderate] MediaRemote
This issue was addressed with improved redaction of sensitive information.
An app may be able to access sensitive user data
    x x      
CVE-2024-23204 [moderate] Shortcuts
The issue was addressed with additional permissions checks.
A shortcut may be able to use sensitive data with certain actions without prompting the user
    x x      
CVE-2024-23297 [moderate] MediaRemote
The issue was addressed with improved checks.
A malicious application may be able to access private information
        x x  
CVE-2024-23262 [moderate] Accessibility
This issue was addressed with additional entitlement checks.
An app may be able to spoof system notifications and UI
            x
CVE-2024-23295 [moderate] Persona
A permissions issue was addressed to help ensure Personas are always protected
An unauthenticated user may be able to use an unprotected Persona
            x
CVE-2024-23220 [moderate] Safari
The issue was addressed with improved handling of caches.
An app may be able to fingerprint the user
            x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
1 comment(s)

Comments


Diary Archives