Home / mailingsPDF  

APPLE-SA-01-22-2024-5 macOS Sonoma 14.3

Posted on 23 January 2024
Apple Security-announce

APPLE-SA-01-22-2024-5 macOS Sonoma 14.3

macOS Sonoma 14.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214061.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security

CoreCrypto
Available for: macOS Sonoma
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Finder
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with improved checks.
CVE-2024-23224: Brian McNulty

Kernel
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of
Legendsec at QI-ANXIN Group

LLVM
Available for: macOS Sonoma
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2024-23209

Mail Search
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), and
Ian de Marcellus

NSSpellChecker
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Safari
Available for: macOS Sonoma
Impact: A user's private browsing activity may be visible in Settings
Description: A privacy issue was addressed with improved handling of
user preferences.
CVE-2024-23211: Mark Bowers

Shortcuts
Available for: macOS Sonoma
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2024-23203: an anonymous researcher
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts
Available for: macOS Sonoma
Impact: An app may be able to bypass certain Privacy preferences
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-23217: Kirin (@Pwnrin)

TCC
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-23215: Zhongquan Li (@Guluisacat)

Time Zone
Available for: macOS Sonoma
Impact: An app may be able to view a user's phone number in system logs
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WebKit
Available for: macOS Sonoma
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher

WebKit
Available for: macOS Sonoma
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit
Available for: macOS Sonoma
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
WebKit Bugzilla: 265129
CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 Vulnerability
Research Institute

WebKit
Available for: macOS Sonoma
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222

macOS Sonoma 14.3 may be obtained from the Mac App Store or Apple's
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP