Apple Security Advisory 10-25-2023-6 - macOS Monterey 12.7.1 addresses bypass and code execution vulnerabilities.
9d1c7434d247989eedebc03d290828fbfa13d85114508a85c4d35e00175ef82c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-10-25-2023-6 macOS Monterey 12.7.1
macOS Monterey 12.7.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213983.
Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
CoreAnimation
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w
FileProvider
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service to Endpoint
Security clients
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)
Find My
Available for: macOS Monterey
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of caches.
CVE-2023-40413: Adam M.
Foundation
Available for: macOS Monterey
Impact: A website may be able to access sensitive user data when
resolving symlinks
Description: This issue was addressed with improved handling of
symlinks.
CVE-2023-42844: Ron Masas of BreakPoint.SH
ImageIO
Available for: macOS Monterey
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-40416: JZ
IOTextEncryptionFamily
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-40423: an anonymous researcher
Kernel
Available for: macOS Monterey
Impact: An attacker that has already achieved kernel code execution may
be able to bypass kernel memory mitigations
Description: The issue was addressed with improved memory handling.
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)
Model I/O
Available for: macOS Monterey
Impact: Processing a file may lead to unexpected app termination or
arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
Sandbox
Available for: macOS Monterey
Impact: An app with root privileges may be able to access private
information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-40425: Csaba Fitzl (@theevilbit) of Offensive Security
talagent
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)
WindowServer
Available for: macOS Monterey
Impact: A website may be able to access the microphone without the
microphone use indicator being shown
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-41975: an anonymous researcher
Additional recognition
GPU Drivers
We would like to acknowledge an anonymous researcher for their
assistance.
libarchive
We would like to acknowledge Bahaa Naamneh for their assistance.
libxml2
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project
Zero for their assistance.
macOS Monterey 12.7.1 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y5oACgkQX+5d1TXa
Ivqb6BAAieI+tJLfoXDjA0sTp609OWejWuxdN1SYm8DCRu6P5Qdt3YMa8pn00HhO
qEzCi8UdZ39itc7duw8iQa5SbMdXaMahFOV/LBCaMeYLtQbIHhMPJLe8sV3MPLgt
keAs21DKhlAVKfxG3Y3v6aIxf2RUbv19fFC2k+cqNvieHj8S5WxMLC0LSIfekHJ2
uewaIpTrUHxjnJkStF/e+9QquJB4FXWX6Vx3vWY6UjclO380u8lilOQ13JW8kWNU
Hhxz/CnH4u0H92RnVOY5vOHt4bY+uh7JOj/PZNIhPAv3MrvPWzFcqQvfQPjRa5zZ
AAcWReslUWwnEVlCkdTAyitqTsbxKaMn9h60jy03HE5ydcSjsBIGhX4TWETv9r2m
LqMHpsvQanPJZz2zi9LsptDOtVOiDji/5EVwZd5IG4z8fauLgbJ5VGgSj9RE8q01
FGzYSmuMY4BNf+bu2w9SexbBsVvCtAvMuedFy8Z4Gdi4nz2OauVjAXVo/AdKKeQk
aN2PnXOmTJLigJziwCbyTUbYEy4pjL9mJwAkbYDm5fUbU5FYhrBJ+XuhIIz/MkIN
foFk82DGzre1yORU+zPXlT0Y/khO5ZvFvQUDyG9FClrw0GrBGBMBtUriTTm46n0b
RF2rs8ucMPOfM0fFpWZIeiulY2tekAFOLOK5j425pjjfRN2+XJw=zXmL
-----END PGP SIGNATURE-----