macOS Sequoia has officially launched with new features and improvements such as window tiling, iPhone Mirroring, the new Password app, and more.
These are the 76 security patches that come with the first public release of macOS 15 Sequoia.
The release of macOS Sequoia includes a significant number of security fixes, which is not surprising for a major .0 release.
It’s great to see so many researchers and developers working to report bugs and flaws to help make the release of Sequoia as airtight as possible.
The CVEs range from kernel vulnerabilities to addressing access to sensitive data in apps like Siri, Maps, and Shortcuts.
Quick Look We would like to acknowledge Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com) for their assistance.
Safari We would like to acknowledge Hafiizh and YoKo Kho (@yokoacc) of HakTrak, Junsung Lee, Shaheen Fazim for their assistance.
Screen Capture We would like to acknowledge Joshua Jewett (@JoshJewett33), Yiğit Can YILMAZ (@yilmazcanyigit), an anonymous researcher for their assistance.
WebKit We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security), Johan Carlsson (joaxcar) for their assistance.
Wi-Fi We would like to acknowledge Antonio Zekic (@antoniozekic) and ant4g0nist, Tim Michaud (@TimGMichaud) of Moveworks.ai for their assistance.
The new Password app, iPhone mirroring, window tiling, and other enhancements are included in the official release of macOS Sequoia. However, Apple gave Mac users access to an astonishing number of fixed bugs and vulnerabilities under the hood. The initial public release of macOS 15 Sequoia includes these 76 security patches.
It is not unexpected for a major .0 release like macOS Sequoia to include a sizable number of security fixes. But this is the longest list of CVEs I have ever seen in a single update. It’s fantastic to see so many scientists and developers attempting to report errors and problems in order to help ensure that Sequoia is released as securely as possible.
On its Security Updates page, Apple provided information about each. The Common Vulnerabilities and Exposures (CVEs) encompass a variety of issues, including kernel vulnerabilities and vulnerabilities related to sensitive data access in applications such as Maps, Siri, and Shortcuts. Potential exploits such as memory leaks, privilege escalation, and arbitrary code execution are less likely thanks to these fixes. Additionally, Apple improved memory handling, input validation, and sandbox restrictions with patches to defend against different types of attacks.
This is the complete list of macOS Sequoia’s 76 security fixes:.
Accounts.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Effect: User information that is sensitive may be leaked by an app.
Better checks were implemented in order to address the problem.
CVE-44129 for 2024.
Financial Statements.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: User-sensitive data could be accessible to an app.
Improvements to permissions logic were made to address the issue.
The CVE-2024-44153 is Mickey Jin (@patch1t).
Financial Statements.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: Protected user data might be accessible to an app.
Description: More limitations were implemented to address a permissions issue.
@Bohdan_Stasiuk is the CVE-2024-44188 user.
APFS.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: System file contents may be altered by a malicious application that has root access.
Better checks were implemented to address the issue.
Pedro Tôrres (@t0rr3sp3dr0) is CVE-2024-40825.
APNs.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Private information could be accessed by an app that has root privileges.
Improved data protection was implemented to address this issue.
CVE-44130 of 2024.
app’s intentions.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: When a shortcut doesn’t work to launch another app, it might allow an app to access private information that has been logged.
Sensitive information was better redacted in order to address this issue.
Kirin (@Pwnrin) is CVE-2024-44182.
GraphControl by Apple Inc.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Effect: Opening a file that has been maliciously altered could cause the app to crash without warning.
Description: Better memory handling resolved a memory initialization issue.
Trend Micro Zero Day Initiative member Michael DePlante (@izobashi) is the subject of CVE-2024-44154.
GraphControl by Apple Inc.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: Running a maliciously created video file could cause the app to crash without warning.
Description: Better memory management was implemented to address the problem.
Pwn2car is collaborating with Trend Micro Zero Day Initiative (CVE-2024-40845).
CVE-2024-40846: Trend Micro Zero Day Initiative’s Michael DePlante (@izobashi).
Integrity of the Apple Mobile File.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Privacy preferences might be circumvented by an app.
Improved checks were implemented to address this issue.
Mickey Jin, CVE-2024-44164 (@patch1t).
Integrity of AppleMobile File System.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: User data that is protected might be accessible to an app.
Additional restrictions were implemented to address a permissions issue.
Kirin (@Pwnrin) is the subject of CVE-2024-40837.
Integrity of Apple Mobile File System.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Sensitive user information could be accessed by an application.
Additional code-signing restrictions were implemented to address the issue.
Mickey Jin, CVE-2024-40847 (@patch1t).
Integrity of Apple Mobile File.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: Private information might be readable by an attacker.
Description: More restrictions on code-signing were implemented to address a downgrade issue.
Mickey Jin (@patch1t) is the CVE-2024-40848.
Integrity of AppleMobile File System.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Secured areas of the file system could be altered by an application.
Description: More limitations were added to address a library injection vulnerability.
Claudio Bozzato and Francesco Benvenuto of Cisco Talos are the subject of CVE-2024-44168.
AppleV.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Restricted memory may be readable by an application.
Better memory handling was implemented to address the issue.
Trend Micro Zero Day Initiative member Michael DePlante (@izobashi) is responsible for CVE-2024-27860.
Michael DePlante (@izobashi), Trend Micro Zero Day Initiative, CVE-2024-27861.
AppleV.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Opening a maliciously created video file could cause the app to crash without warning.
Description: Better bounds checking was implemented to address an out-of-bounds write problem.
Trend Micro Zero Day Initiative member Michael DePlante (@izobashi) is the subject of CVE-2024-40841.
Applications Sandbox.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: A camera extension may be able to access the internet.
Further restrictions were implemented to address a permissions issue.
Politepix @hallewinkler, CVE-2024-27795: Halle Winkler.
AppSandbox.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Consequence: Within an App Sandbox container, an app might have access to files that are protected.
Description: More limitations were implemented to address a permissions issue.
Mickey Jin (@patch1t) is the CVE-2024-44135.
ArchiveService.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Effect: A software program might be able to escape its confines.
Description: Better management of symlinks was implemented to address this problem.
Mickey Jin (@patch1t) is the CVE-2024-44132 host.
Robot.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Gatekeeper might be circumvented by an Automator Quick Action workflow.
An extra prompt for user consent was added to address this issue.
Boegler, Anton (CVE-2024-44128).
God bless.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Secured areas of the file system could be altered by an application.
Further restrictions were implemented to address a permissions issue.
Mickey Jin (@patch1t) has CVE-2024-44151.
a reduction in size.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: An attacker may be able to write any files by extracting a maliciously created archive.
Description: Better locking was implemented to address a race condition.
Snoolie Keffaber (@0xilis) is CVE-2024-27876.
Control Center.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to record the screen without an indicator.
Improved checks were used to address the problem.
CVE-2024-27869: an anonymous researcher.
Center of Control.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Inaccurate attribution of privacy indicators related to microphone or camera access is possible.
Improved state management was implemented to address a logical issue.
Yilmazcanyigit (@yilmazcanyigit) is the CVE-2024-27875.
transferfile.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: An application might be able to escape its confines.
Improved file handling was implemented to address a logic issue.
CVE-2024-44146: an anonymous researcher.
CUPS.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: Opening a maliciously created file might cause the application to crash without warning.
This is an open-source code vulnerability that affects projects, including Apple Software. An outside source assigned the CVE-ID. Visit cve . org to learn more about the problem and CVE-ID.
CVEN-2023-4504.
Disk Images.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to break out of its sandbox.
Description: This issue was addressed with improved validation of file attributes.
CVE-2024-44148: an anonymous researcher.
Dock.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: User-sensitive data might be accessible to an app.
Sensitive data was deleted in order to address a privacy concern.
Researcher CVE-2024-44177 is not identified.
FileSource.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: Sensitive user information could be accessed by an app.
Improved symlink validation was implemented to address this issue.
CVE-2024-44131: Jamf’s @08Tc3wBB.
Game Center.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: An app may be able to access user-sensitive data.
Description: A file access issue was addressed with improved input validation.
Denis Tokarev, CVE-2024-40850 (@illusionofcha0s).
Pictures Taken.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Repercussion: A user’s Photo Library might be accessible to an application.
Further restrictions were implemented to address a permissions issue.
CVE-2024-40831, Mickey Jin (@patch1t).
PicturesIO.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: Opening a maliciously created file could cause the application to crash without warning.
An enhanced input validation was implemented to tackle an out-of-bounds read issue.
Lee, Junsung (CVE-2024-27880).
PicturesIO.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Consequence: A denial-of-service attack could occur while processing an image.
Improved bounds checking was implemented in order to address an out-of-bounds access problem.
CVE-2024-44176: Trend Micro Zero Day Initiative, an anonymous researcher, and dw0r of ZeroPointer Lab.
Installer.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Root privileges could be obtained by an application.
Improved checks were used to address the problem.
Mickey Jin, CVE-2024-40861 (@patch1t).
Intel Graphics Driver.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: Processing a maliciously created texture could cause the application to crash without warning.
Description: Better memory handling was implemented to address a buffer overflow issue.
Trend Micro Zero Day Initiative member Michael DePlante (@izobashi) is the subject of CVE-2024-44160.
Intel Graphics Driver.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Processing a maliciously created texture could cause the application to crash without warning.
Improved bounds checking was implemented in order to address an out-of-bounds read.
Trend Micro Zero Day Initiative’s Michael DePlante (@izobashi) is the subject of CVE-2024-44161.
Surface Accelerator for iOS.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
The potential for an application to unexpectedly terminate the system exists.
Description: Better memory handling was implemented to address the problem.
Antonio Zekić CVE-2024-44169.
the kernel.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Network traffic may leak outside a VPN tunnel.
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov.
Kernel.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may gain unauthorized access to Bluetooth.
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven (@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef.
libxml2.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: Processing maliciously crafted web content may lead to an unexpected process crash.
Description: An integer overflow was addressed through improved input validation.
Ned Williamson from Google Project Zero identified CVE-2024-44198 as OSS-Fuzz.
Accounts for Mail.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: A user’s contacts may be accessible to an app.
Description: Better private data redaction for log entries addressed a privacy concern.
CVE-2024-40791: @eisw0lf Rodolphe BRUNETTI.
Maps.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Repercussions: A sensitive location data may be readable by an app.
Improved management of temporary files resolved a problem.
From Fudan University, LFY (@secsys) and Kirin (@Pwnrin) are responsible for CVE-2024-44181.
mDNSResponder.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to cause a denial-of-service.
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Levon Olivier.
Model I/O.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Effect: A denial-of-service attack could result from processing a maliciously created image.
Apple Software is one of the projects that is impacted by this open source code vulnerability. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve . org.
CVE-2023-5841.
Melody.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: User data that is protected may be accessible to an app.
Description: A permissions issue was addressed with additional restrictions.
Meng Zhang (鲸落) from NorthSea and Csaba Fitzl (@theevilbit) from Offensive Security are involved in CVE-2024-27858.
Remarks.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
The potential for an application to overwrite any file is a concern.
The vulnerable code was removed in order to resolve this issue.
CAPTCHA-2024-44167: ajajfxhj.
The Notification Hub.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: Notifications from the user’s device may be accessed by a malicious app.
Sensitive data was relocated to a secure area in order to address a privacy concern.
Brian McNulty and Cristian Dinca of Romania’s “Tudor Vianu” National High School of Computer Science, Vaibhav Prajapati, are the subjects of CVE-2024-40838.
NSColor.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: User data that is protected may be accessible to an app.
Description: An access issue was addressed with additional sandbox restrictions.
An unnamed researcher is CVE-2024-44186.
OpenSSH.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
OpenSSH is affected by several problems.
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve . org.
CVE-2024-39894.
PackageKit.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to modify protected parts of the file system.
Description: This issue was addressed with improved validation of symlinks.
CVE-2024-44178: Mickey Jin (@patch1t).
Printing.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: When utilizing print preview, an unencrypted document might be written to a temporary file.
Description: Better file management addressed a privacy concern.
CVE-2024-40826: an anonymous researcher.
Quick Look.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: An app may be able to access protected user data.
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44149: Wojciech Regula of SecuRing (wojciechregula. blog), OffSec’s Csaba Fitzl (@theevilbit).
safari.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Effect: User interface spoofing can occur when a malicious website is visited.
Improved state management was used to address this problem.
Rifa’i Rejal Maynando, CVE-2024-40797.
Sandbox.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: A malicious application may be able to leak sensitive user information.
Description: The issue was addressed with improved checks.
Zhongquan Li, CVE-2024-44125 (@Guluisacat).
Playground.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: Private information could be accessed by a malicious program.
Improved checks were used to address the problem.
CVE-2024-44163: Zhongquan Li (@Guluisacat).
Security Initialization.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to access protected user data.
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito (@pvieito), an anonymous researcher.
Shortcuts.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: User data that is protected might be accessible to an app.
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40837: Kirin (@Pwnrin).
Shortcuts.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: A shortcut may output sensitive user data without consent.
Description: This issue was addressed with improved redaction of sensitive information.
CVE-2024-44158: Kirin (@Pwnrin).
Shortcuts.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to observe data displayed to the user by Shortcuts.
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2024-40844: NorthSea’s luckyu (@uuulucky) and Kirin (@Pwnrin).
Siri.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: User-sensitive data could be accessible to an app.
Sensitive data was moved to a more secure location in order to address a privacy concern.
K䪝, LFY (@secsys), Smi1e, yulige, Cristian Dinca (icmd) are the ones affected by CVE-2024-44170. tech), Rodolphe BRUNETTI (@eisw0lf).
sudo.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: Applications have the potential to alter file system protections.
Improved checks were made in order to address a logic issue.
The CVE-2024-40860 is Arsenii Kostromin (0x3c3e).
Configuration of the system.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: User-sensitive data could be accessible to an app.
Improved private data redaction for log entries addressed a privacy concern.
Kirin (@Pwnrin) is the subject of CVE-2024-44152.
CVE-2024-44166: Fudan University’s Kirin (@Pwnrin) and LFY (@secsys).
Configuration of the System.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: A program might be able to read any kind of file.
Description: Better validation was used to address a path handling issue.
Rodolphe BRUNETTI (@eisw0lf) is CVE-2024-44190.
TCC.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: On MDM managed devices, an app may be able to bypass certain Privacy preferences.
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44133: Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft.
openness.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Effect: User-sensitive information might be accessible to an app.
Description: A permissions issue was addressed with additional restrictions.
Bohdan Stasiuk, CVE-2024-44184 (@Bohdan_Stasiuk).
TV App.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: User information may be accessible to an app.
Description: More limitations were added to address a permissions issue.
Offensive Security’s Csaba Fitzl (@theevilbit) is responsible for CVE-2024-40859.
Vim.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: Processing a maliciously crafted file may lead to unexpected app termination.
This is an open-source code vulnerability affecting several projects, including Apple Software. Third party software generated the CVE-ID. Learn more about the issue and CVE-ID at cve . org.
CVE-2024-41957.
WebKit.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: Processing maliciously crafted web content may lead to universal cross site scripting.
An enhanced state management strategy was used to address this problem.
Bugzilla: 268724 for WebKit.
For Ron Masas, CVE-2024-40857.
WebMaker.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: Visiting a malicious website may lead to address bar spoofing.
Description: The issue was addressed with improved UI.
WebKit Bugzilla: 279451.
CVE-2024-40866: Hafiizh and YoKo Kho (@yokoacc) of HakTrak.
WebKit.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: A malicious website may exfiltrate data cross-origin.
There was an issue with “iframe” elements that was cross-origin. Improved tracking of security origins was implemented to mitigate this.
Bugzilla for WebKit: 279452.
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India).
Wi-Fi.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: A non-privileged user may be able to modify restricted network settings.
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40770: Yiğit Can YILMAZ (@yilmazcanyigit).
Wi-Fi.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to cause a denial-of-service.
Description: The issue was addressed with improved memory handling.
CVE-2024-23237: Charly Suchanek.
Wi-Fi.
For Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later) available.
Impact: It’s possible for an app to read private location data.
Sensitive information was better redacted in order to address this issue.
CVE-44134 /2024.
WiFi.
Available for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
Impact: It could be possible for an attacker to make a device unplug from a secure network.
Description: Beacon Protection was used to address an integrity issue.
Domien Schepers, CVE-2024-40856.
Server Window.
accessible for: MacBook Air (2020 and later), MacBook Pro (2018 and later), iMac (2019 and later), Mac Mini (2018 and later), Mac Studio (2022 and later), and iMac Pro (2017 and later).
The impact was that there was a logic flaw where a process could have taken screenshots without the user’s permission.
Description: The issue was addressed with improved checks.
CVE-2024-44189: Tim Clem.
XProtect.
This product is compatible with the following: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro ( 2017.
Impact: User-sensitive data might be accessible to an app.
Improved environment variable validation was implemented to address a concern.
CVE-2024-40842: Gergely Kalman (@gergely_kalman).
XProtect.
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).
Impact: An app may be able to modify protected parts of the file system.
Description: The issue was addressed with improved checks.
Koh M. Nakagawa (@tsunek0h) is CVE-2024-40843.
More acknowledgment.
Admin Framework.
We express our gratitude to Csaba Fitzl (@theevilbit) at Offensive Security for his help.
airfield.
We would like to acknowledge David Dudok de Wit, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
APFS.
We would like to acknowledge Georgi Valkov of httpstorm . com for their assistance.
App Retailer.
We appreciate the help from Csaba Fitzl (@theevilbit) at Offensive Security.
KitApp.
For their help, we are grateful to @08Tc3wBB of Jamf.
Apple Neural Network.
We would like to acknowledge Jiaxun Zhu (@svnswords) and Minghao Lin (@Y1nKoc) for their assistance.
Automator.
We are grateful to Koh M. Nakagawa (@tsunek0h) for their help.
central Bluetooth.
We would like to acknowledge Nicholas C. of Onymos Inc. (onymos . com) for their help and support.
Essential Services.
With gratitude to Cristian Dinca of the “Tudor Vianu” National High School of Computer Science, Romania, 7feilee, Snoolie Keffaber (@0xilis), Tal Lossos, and Zhongquan Li (@Guluisacat) for their support, we would like to acknowledge [Pwnrin].
Disk Manager.
We are grateful for the help provided by Csaba Fitzl (@theevilbit) of Kandji.
FileSource.
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Foundation.
We would like to acknowledge Ostorlab for their assistance.
the kernel.
We appreciate the help from Braxton Anderson and Fakhri Zulkifli (@d0lph1n98) at PixiePoint Security.
LibXPc.
Rasmus Sten, F-Secure (Mastodon: @pajp@blog), is acknowledged with gratitude. dll . nu) for their support.
LLVM.
We thank the following people for their assistance: Marius Muench, Fabian Freyer, Fabio Pagani of the University of California, Santa Barbara, Victor Duta of Universiteit Amsterdam, and Cristiano Giuffrida of Universiteit Amsterdam.
charts.
Our gratitude goes out to Kirin (@Pwnrin) for her help.
Melody.
We would like to acknowledge Khiem Tran of databaselog . com/khiemtran, K宝 and LFY@secsys from Fudan University, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Notifications.
We would like to acknowledge an anonymous researcher for their assistance.
PackageKit.
We express our gratitude to Mickey Jin (@patch1t), Zhongquan Li (@Guluisacat), and Csaba Fitzl (@theevilbit) of OffSec for their invaluable assistance.
Password protection.
For his help, we are grateful to Richard Hyunho Im (@r1cheeta).
Images.
We are grateful to Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College of Technology in Bhopal, India, Harsh Tyagi, and Leandro Chaves for their support.
audio podcasts.
Yiğit Can YILMAZ (@yilmazcanyigit) is appreciated for their help.
A cursory glance.
We express our gratitude to Tencent Security Xuanwu Lab’s Zhipeng Huo (@R3dF09) (xlab. Tencent.com) for their support.
Safari.
We are grateful to Junsung Lee, Shaheen Fazim, Hafiizh, and YoKo Kho (@yokoacc) of HakTrak for their help.
Sandbox. .
Cristian Dinca of Romania’s “Tudor Vianu” National High School of Computer Science, Kirin (@Pwnrin) of NorthSea, and Wojciech Regula of SecuRing (wojciechregula) are all acknowledged. Thank you for your help, blog), Yiğit Can YILMAZ (@yilmazcanyigit).
Screen Capture.
We would like to acknowledge Joshua Jewett (@JoshJewett33), Yiğit Can YILMAZ (@yilmazcanyigit), an anonymous researcher for their assistance.
Shortcuts.
We thank the researcher who remains anonymous, Jacob Braun, and Cristian Dinca from the “Tudor Vianu” National High School of Computer Science in Romania for their help.
Siri.
For their assistance, we are grateful to Rohan Paudel.
Migration of the System.
We appreciate the help from anonymous researchers Kevin Jansen and Jamey Wicklund.
TCC.
We are grateful for the help provided by Vaibhav Prajapati and Noah Gregory (wts . dev).
UIKit.
We would like to give Andr some credit. Thank you Ess for your help.
audio memos.
We would like to acknowledge Lisa B for their assistance.
WebKit.
We are grateful to Johan Carlsson (joaxcar), Avi Lumelsky, and Uri Katz (Oligo Security) for their help.
Bluetooth.
We would like to acknowledge Antonio Zekic (@antoniozekic) and ant4g0nist, Tim Michaud (@TimGMichaud) of Moveworks . ai for their assistance.
WindowServer.
We would like to acknowledge Felix Kratz, an anonymous researcher for their assistance.