what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Security Advisory 03-07-2024-4

Apple Security Advisory 03-07-2024-4
Posted Mar 14, 2024
Authored by Apple | Site apple.com

Apple Security Advisory 03-07-2024-4 - macOS Monterey 12.7.4 addresses buffer overflow, bypass, code execution, and out of bounds write vulnerabilities.

tags | advisory, overflow, vulnerability, code execution
systems | apple
advisories | CVE-2023-28826, CVE-2024-23201, CVE-2024-23204, CVE-2024-23216, CVE-2024-23218, CVE-2024-23225, CVE-2024-23227, CVE-2024-23230, CVE-2024-23234, CVE-2024-23244, CVE-2024-23245, CVE-2024-23247, CVE-2024-23257, CVE-2024-23264
SHA-256 | 6d34d98987ed9e7f5bc383bd22eb781faef984e2518dc2398e1701abcb1cdd3b

Apple Security Advisory 03-07-2024-4

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

macOS Monterey 12.7.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214083.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Monterey
Impact: An app may be able to elevate privileges
Description: A logic issue was addressed with improved checks.
CVE-2024-23276: Kirin (@Pwnrin)

Airport
Available for: macOS Monterey
Impact: An app may be able to read sensitive location information
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system
Description: A downgrade issue affecting Intel-based Mac computers was
addressed with additional code-signing restrictions.
CVE-2024-23269: Mickey Jin (@patch1t)

ColorSync
Available for: macOS Monterey
Impact: Processing a file may lead to unexpected app termination or
arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreCrypto
Available for: macOS Monterey
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Dock
Available for: macOS Monterey
Impact: An app from a standard user account may be able to escalate
privilege after admin user login
Description: A logic issue was addressed with improved restrictions.
CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

Image Processing
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23270: an anonymous researcher

ImageIO
Available for: macOS Monterey
Impact: Processing an image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

ImageIO
Available for: macOS Monterey
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

Intel Graphics Driver
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2024-23234: Murray Mike

Kerberos v5 PAM module
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel
Available for: macOS Monterey
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel
Available for: macOS Monterey
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23225

libxpc
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-23201: Koh M. Nakagawa of FFRI Security, Inc. and an anonymous
researcher

MediaRemote
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2023-28826: Meng Zhang (鲸落) of NorthSea

Metal
Available for: macOS Monterey
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero
Day Initiative

Notes
Available for: macOS Monterey
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23283

PackageKit
Available for: macOS Monterey
Impact: An app may be able to elevate privileges
Description: An injection issue was addressed with improved input
validation.
CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)
CVE-2024-23268: Mickey Jin (@patch1t), and Pedro Tôrres (@t0rr3sp3dr0)

PackageKit
Available for: macOS Monterey
Impact: An app may be able to access protected user data
Description: A race condition was addressed with additional validation.
CVE-2024-23275: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Monterey
Impact: An app may be able to bypass certain Privacy preferences
Description: The issue was addressed with improved checks.
CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Monterey
Impact: An app may be able to overwrite arbitrary files
Description: A path handling issue was addressed with improved
validation.
CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

SharedFileList
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved file handling.
CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts
Available for: macOS Monterey
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts
Available for: macOS Monterey
Impact: Third-party shortcuts may use a legacy action from Automator to
send events to apps without user consent
Description: This issue was addressed by adding an additional prompt for
user consent.
CVE-2024-23245: an anonymous researcher

Storage Services
Available for: macOS Monterey
Impact: A user may gain access to protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2024-23272: Mickey Jin (@patch1t)

macOS Monterey 12.7.4 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqccMACgkQX+5d1TXa
IvoRPw//aOvhmfw+nqXXgAMv5Ptm8/G29gC7vtiS6WVFJsmUEQA5aM5P8KYRT1VP
UtxDS0ShqKze958tIsiGpOshP7jildMmv52VKLG3HIV8XTTgiSBmO7ODPheGQaaG
wgUkoZbue7VRSr9UZEm8qbLPdJpCUIbSWJImRbE6k4+Ap1IqRsYVv01gLN9+Ohhw
tv6ObXbqeKI7EjRcfxqAG/SdehWg2azogMsdrq+wfpaEZG+Fy6B2NPu8AOcKICRQ
to8JKPWMvtoGjbns5r8OPd9O29z3icsIB8b3qfQZHTc5i/eWi++VoAhLR2lEq8Ts
hUPbOyf1AU4BeFKCC2MI060lOwK1WE4LRvD/CWv0g02b+yW9lXQ5xTah4+ycYaEp
vXbxtlp7Da8s0XTDACFVvfMMN7fi3NIBSjwtz6YnqN6cxVnV/re69UYwuT44aJ4s
UA5NElkhe7NZJ1+QQ5mSws19+PjP7TZpdeaPxxQfr6JN2Mi0a52tCaCmF0gIZHJj
/HyjQzJHb40w5e4Vqw2r4GxvgZvjmUiW4pvPXgKD+6Ykp+g4lhHldSSFnDakjSy3
OUM2idhKAHeHdFSm6UEv4ehhJM660DbDRujaZPpVuSKpcqKS79vcjs/gD/EGt/uG
rhwMQd321+WzaKcGxu0gbAVRMzAtP/yxMEovCU2zFfh3AxbopDg=
=KbmJ
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close