Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

Related Vulnerabilities: CVE-2024-23276   CVE-2024-23227   CVE-2024-23269   CVE-2024-23247   CVE-2024-23218   CVE-2024-23244   CVE-2024-23270   CVE-2024-23286   CVE-2024-23257   CVE-2024-23234   CVE-2024-23266   CVE-2024-23265   CVE-2024-23225   CVE-2024-23201   CVE-2023-28826   CVE-2024-23264   CVE-2024-23283   CVE-2024-23274   CVE-2024-23268   CVE-2024-23275   CVE-2024-23267   CVE-2024-23216   CVE-2024-23230   CVE-2024-23204   CVE-2024-23245   CVE-2024-23272  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#23">By Date</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#23">By Thread</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Apple Product Security via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Thu, 07 Mar 2024 18:23:25 -0800


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

macOS Monterey 12.7.4 addresses the following issues.
Information about the security content is also available at
<a rel="nofollow" href="https://support.apple.com/kb/HT214083">https://support.apple.com/kb/HT214083</a>.

Apple maintains a Security Releases page at
<a rel="nofollow" href="https://support.apple.com/HT201222">https://support.apple.com/HT201222</a> which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Monterey
Impact: An app may be able to elevate privileges
Description: A logic issue was addressed with improved checks.
CVE-2024-23276: Kirin (@Pwnrin)

Airport
Available for: macOS Monterey
Impact: An app may be able to read sensitive location information
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system
Description: A downgrade issue affecting Intel-based Mac computers was
addressed with additional code-signing restrictions.
CVE-2024-23269: Mickey Jin (@patch1t)

ColorSync
Available for: macOS Monterey
Impact: Processing a file may lead to unexpected app termination or
arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreCrypto
Available for: macOS Monterey
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang

Dock
Available for: macOS Monterey
Impact: An app from a standard user account may be able to escalate
privilege after admin user login
Description: A logic issue was addressed with improved restrictions.
CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

Image Processing
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23270: an anonymous researcher

ImageIO
Available for: macOS Monterey
Impact: Processing an image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

ImageIO
Available for: macOS Monterey
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

Intel Graphics Driver
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2024-23234: Murray Mike

Kerberos v5 PAM module
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel
Available for: macOS Monterey
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel
Available for: macOS Monterey
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23225

libxpc
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-23201: Koh M. Nakagawa of FFRI Security, Inc. and an anonymous
researcher

MediaRemote
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2023-28826: Meng Zhang (鲸落) of NorthSea

Metal
Available for: macOS Monterey
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero
Day Initiative

Notes
Available for: macOS Monterey
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23283

PackageKit
Available for: macOS Monterey
Impact: An app may be able to elevate privileges
Description: An injection issue was addressed with improved input
validation.
CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)
CVE-2024-23268: Mickey Jin (@patch1t), and Pedro Tôrres (@t0rr3sp3dr0)

PackageKit
Available for: macOS Monterey
Impact: An app may be able to access protected user data
Description: A race condition was addressed with additional validation.
CVE-2024-23275: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Monterey
Impact: An app may be able to bypass certain Privacy preferences
Description: The issue was addressed with improved checks.
CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Monterey
Impact: An app may be able to overwrite arbitrary files
Description: A path handling issue was addressed with improved
validation.
CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

SharedFileList
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved file handling.
CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts
Available for: macOS Monterey
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts
Available for: macOS Monterey
Impact: Third-party shortcuts may use a legacy action from Automator to
send events to apps without user consent
Description: This issue was addressed by adding an additional prompt for
user consent.
CVE-2024-23245: an anonymous researcher

Storage Services
Available for: macOS Monterey
Impact: A user may gain access to protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2024-23272: Mickey Jin (@patch1t)

macOS Monterey 12.7.4 may be obtained from the Mac App Store or
Apple's Software Downloads web site:
<a rel="nofollow" href="https://support.apple.com/downloads/">https://support.apple.com/downloads/</a>
All information is also posted on the Apple Security Releases
web site: <a rel="nofollow" href="https://support.apple.com/en-us/HT201222">https://support.apple.com/en-us/HT201222</a>.

This message is signed with Apple's Product Security PGP key,
and details are available at:
<a rel="nofollow" href="https://www.apple.com/support/security/pgp/">https://www.apple.com/support/security/pgp/</a>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqccMACgkQX+5d1TXa
IvoRPw//aOvhmfw+nqXXgAMv5Ptm8/G29gC7vtiS6WVFJsmUEQA5aM5P8KYRT1VP
UtxDS0ShqKze958tIsiGpOshP7jildMmv52VKLG3HIV8XTTgiSBmO7ODPheGQaaG
wgUkoZbue7VRSr9UZEm8qbLPdJpCUIbSWJImRbE6k4+Ap1IqRsYVv01gLN9+Ohhw
tv6ObXbqeKI7EjRcfxqAG/SdehWg2azogMsdrq+wfpaEZG+Fy6B2NPu8AOcKICRQ
to8JKPWMvtoGjbns5r8OPd9O29z3icsIB8b3qfQZHTc5i/eWi++VoAhLR2lEq8Ts
hUPbOyf1AU4BeFKCC2MI060lOwK1WE4LRvD/CWv0g02b+yW9lXQ5xTah4+ycYaEp
vXbxtlp7Da8s0XTDACFVvfMMN7fi3NIBSjwtz6YnqN6cxVnV/re69UYwuT44aJ4s
UA5NElkhe7NZJ1+QQ5mSws19+PjP7TZpdeaPxxQfr6JN2Mi0a52tCaCmF0gIZHJj
/HyjQzJHb40w5e4Vqw2r4GxvgZvjmUiW4pvPXgKD+6Ykp+g4lhHldSSFnDakjSy3
OUM2idhKAHeHdFSm6UEv4ehhJM660DbDRujaZPpVuSKpcqKS79vcjs/gD/EGt/uG
rhwMQd321+WzaKcGxu0gbAVRMzAtP/yxMEovCU2zFfh3AxbopDg=
=KbmJ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="https://seclists.org/fulldisclosure/">https://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#23">By Date</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#23">By Thread</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4</strong> <em>Apple Product Security via Fulldisclosure (Mar 13)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started