This document describes the security content of macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Oct 12, 2019 Apple's latest Mac update, macOS Catalina, was released earlier this week, and with it came a flurry of complications both minor and major. For one, this update is the first for Apple to drop 32. To help narrow down your search, you can easily check your Mac for all installations and when they occurred. Here's how to see the exact dates for app and macOS updates on Mac. Get to your system information. There are actually two quick ways to get where you need to go. 1) Click the Apple icon from your menu bar. 2) Select About This Mac. May 21, 2019 Apple is just right now announcing some new MacBook Pros for 2019. I had the chance to chat with them briefly about the updates and, while I'm still waiting on all the exact details, there are a couple of big things worth covering right now (And, of course, I'll include all those details below).
Global Nav Open Menu Global Nav Close Menu; Apple; Shopping Bag +.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
Released December 10, 2019
ATS
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15 Transfer music from imac to macbook pro.
Impact: A malicious application may be able to access restricted files
Description: A logic issue was addressed with improved restrictions.
CVE-2019-8837: Csaba Fitzl (@theevilbit)
Entry updated December 18, 2019
Bluetooth
Available for: macOS Catalina 10.15
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
New Macbook Pro 2019
CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab
CallKit
Available for: macOS Catalina 10.15
Impact: Calls made using Siri may be initiated using the wrong cellular plan on devices with two active plans
Description: An API issue existed in the handling of outgoing phone calls initiated with Siri. This issue was addressed with improved state handling.
CVE-2019-8856: Fabrice TERRANCLE of TERRANCLE SARL
CFNetwork Proxies
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team
Entry updated December 18, 2019
CFNetwork
Available for: macOS Catalina 10.15
Impact: An attacker in a privileged network position may be able to bypass HSTS for a limited number of specific top-level domains previously not in the HSTS preload list
Description: A configuration issue was addressed with additional restrictions.
CVE-2019-8834: Rob Sayre (@sayrer)
Entry added February 3, 2020
CUPS
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: In certain configurations, a remote attacker may be able to submit arbitrary print jobs
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8842: Niky1235 of China Mobile
Entry updated December 18, 2019
CUPS
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: An attacker in a privileged position may be able to perform a denial of service attack
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8839: Stephan Zeisberg of Security Research Labs
Entry updated December 18, 2019
FaceTime
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Processing malicious video via FaceTime may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8830: Natalie Silvanovich of Google Project Zero
Entry updated December 18, 2019
IOGraphics
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: A Mac may not lock immediately upon wake
Description: A logic issue was addressed with improved state management.
CVE-2019-8851: Vladik Khononov of DoiT International
Entry added February 3, 2020
Kernel
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed by removing the vulnerable code.
CVE-2019-8833: Ian Beer of Google Project Zero
Entry updated December 18, 2019
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8828: Cim Stordal of Cognite
CVE-2019-8838: Dr Silvio Cesare of InfoSect
CVE-2019-8847: Apple
CVE-2019-8852: pattern-f (@pattern_F_) of WaCai
libexpat
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information
Description: This issue was addressed by updating to expat version 2.2.8.
CVE-2019-15903: Joonun Jang
Entry updated December 18, 2019
Notes
Available for: macOS Catalina 10.15
Impact: A remote attacker may be able to overwrite existing files
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2020-9782: Allison Husain of UC Berkeley
Entry added April 4, 2020
OpenLDAP
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Macbook Os Update 2019 Torrent
Impact: Multiple issues in OpenLDAP
Description: Multiple issues were addressed by updating to OpenLDAP version 2.4.28.
CVE-2012-1164
CVE-2012-2668
CVE-2013-4449
CVE-2015-1545
CVE-2019-13057
CVE-2019-13565
Entry updated February 3, 2020
Security
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling. Does apple have paint.
CVE-2019-8832: Insu Yun of SSLab at Georgia Tech
tcpdump
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Multiple issues in tcpdump
Description: Multiple issues were addressed by updating to tcpdump version 4.9.3 and libpcap version 1.9.1
CVE-2017-16808
CVE-2018-10103
CVE-2018-10105
CVE-2018-14461
CVE-2018-14462
CVE-2018-14463
CVE-2018-14464
CVE-2018-14465
CVE-2018-14466
CVE-2018-14467
CVE-2018-14468
CVE-2018-14469
CVE-2018-14470
CVE-2018-14879
CVE-2018-14880
CVE-2018-14881
CVE-2018-14882
CVE-2018-16227
CVE-2018-16228
CVE-2018-16229
CVE-2018-16230
CVE-2018-16300
CVE-2018-16301
CVE-2018-16451
CVE-2018-16452
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8828: Cim Stordal of Cognite
CVE-2019-8838: Dr Silvio Cesare of InfoSect
CVE-2019-8847: Apple
CVE-2019-8852: pattern-f (@pattern_F_) of WaCai
libexpat
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information
Description: This issue was addressed by updating to expat version 2.2.8.
CVE-2019-15903: Joonun Jang
Entry updated December 18, 2019
Notes
Available for: macOS Catalina 10.15
Impact: A remote attacker may be able to overwrite existing files
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2020-9782: Allison Husain of UC Berkeley
Entry added April 4, 2020
OpenLDAP
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Macbook Os Update 2019 Torrent
Impact: Multiple issues in OpenLDAP
Description: Multiple issues were addressed by updating to OpenLDAP version 2.4.28.
CVE-2012-1164
CVE-2012-2668
CVE-2013-4449
CVE-2015-1545
CVE-2019-13057
CVE-2019-13565
Entry updated February 3, 2020
Security
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling. Does apple have paint.
CVE-2019-8832: Insu Yun of SSLab at Georgia Tech
tcpdump
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Multiple issues in tcpdump
Description: Multiple issues were addressed by updating to tcpdump version 4.9.3 and libpcap version 1.9.1
CVE-2017-16808
CVE-2018-10103
CVE-2018-10105
CVE-2018-14461
CVE-2018-14462
CVE-2018-14463
CVE-2018-14464
CVE-2018-14465
CVE-2018-14466
CVE-2018-14467
CVE-2018-14468
CVE-2018-14469
CVE-2018-14470
CVE-2018-14879
CVE-2018-14880
CVE-2018-14881
CVE-2018-14882
CVE-2018-16227
CVE-2018-16228
CVE-2018-16229
CVE-2018-16230
CVE-2018-16300
CVE-2018-16301
CVE-2018-16451
CVE-2018-16452
CVE-2019-15166
CVE-2019-15167
Entry updated February 11, 2020
Wi-Fi
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: An attacker in Wi-Fi range may be able to view a small amount of network traffic
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2019-15126: Milos Cermak at ESET
Entry added February 27, 2020
Additional recognition
Reference
4Accounts
We would like to acknowledge Allison Husain of UC Berkeley, Kishan Bagaria (KishanBagaria.com), Tom Snelling of Loughborough University for their assistance.
Entry updated April 4, 2020
Core Data
We would like to acknowledge Natalie Silvanovich of Google Project Zero for their assistance.
Finder
We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance.
Entry added December 18, 2019
Kernel
We would like to acknowledge Daniel Roethlisberger of Swisscom CSIRT for their assistance.
Entry added December 18, 2019
