APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update
2019-002 High Sierra, Security Update 2019-002 Sierra

macOS Mojave 10.14.4, Security Update 2019-002 High Sierra,
Security Update 2019-002 Sierra are now available and
addresses the following:

AppleGraphicsControl
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and
shrek_wzw of Qihoo 360 Nirvan Team

Bom
Available for: macOS Mojave 10.14.3
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved handling of file
metadata.
CVE-2019-6239: Ian Moorhouse and Michael Trimm

CFString
Available for: macOS Mojave 10.14.3
Impact: Processing a maliciously crafted string may lead to a denial
of service
Description: A validation issue was addressed with improved logic.
CVE-2019-8516: SWIPS Team of Frifee Inc.

configd
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8552: Mohamed Ghannam (@_simo36)

Contacts
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2019-8511: an anonymous researcher

CoreCrypto
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-8542: an anonymous researcher

DiskArbitration
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: An encrypted volume may be unmounted and remounted by a
different user without prompting for the password
Description: A logic issue was addressed with improved state
management.
CVE-2019-8522: Colin Meginnis (@falc420)

FaceTime
Available for: macOS Mojave 10.14.3
Impact: A user's video may not be paused in a FaceTime call if they
exit the FaceTime app while the call is ringing
Description: An issue existed in the pausing of FaceTime video. The
issue was resolved with improved logic.
CVE-2019-8550: Lauren Guzniczak of Keystone Academy

Feedback Assistant
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to gain root privileges
Description: A race condition was addressed with additional
validation.
CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs

Feedback Assistant
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: This issue was addressed with improved checks.
CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs

file
Available for: macOS Mojave 10.14.3
Impact: Processing a maliciously crafted file might disclose user
information
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-6237: an anonymous researcher

Graphics Drivers
Available for: macOS Mojave 10.14.3
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin
(@panicaII) and Junzhi Lu of Trend Micro Research working with Trend
Micro's Zero Day Initiative

iAP
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-8542: an anonymous researcher

IOGraphics
Available for: macOS Mojave 10.14.3
Impact: A Mac may not lock when disconnecting from an external
monitor
Description: A lock handling issue was addressed with improved lock
handling.
CVE-2019-8533: an anonymous researcher, James Eagan of Télécom
ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT

IOHIDFamily
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: A memory corruption issue was addressed with improved
state management.
CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team

IOKit
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: A local user may be able to read kernel memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8504: an anonymous researcher

IOKit SCSI
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: A buffer overflow was addressed with improved size
validation.
CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3
Impact: Mounting a maliciously crafted NFS network share may lead to
arbitrary code execution with system privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-8508: Dr. Silvio Cesare of InfoSect

Kernel
Available for: macOS Mojave 10.14.3
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved state
management.
CVE-2019-8514: Samuel Groß of Google Project Zero

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360  Nirvan Team

Kernel
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to read kernel memory
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-7293: Ned Williamson of Google

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)
CVE-2019-8510: Stefan Esser of Antid0te UG

Messages
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to view sensitive user information
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2019-8546: ChiYuan Chang

Notes
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to view a user's locked notes
Description: An access issue was addressed with improved memory
management.
CVE-2019-8537: Greg Walker (gregwalker.us)

PackageKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved validation.
CVE-2019-8561: Jaron Bradley of Crowdstrike

Perl
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: Multiple issues in Perl
Description: Multiple issues in Perl were addressed in this update.
CVE-2018-12015: Jakub Wilk
CVE-2018-18311: Jayakrishna Menon
CVE-2018-18313: Eiichi Tsukata

Power Management
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: Multiple input validation issues existed in MIG
generated code. These issues were addressed with improved validation.
CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure
(ssd-disclosure.com)

QuartzCore
Available for: macOS Mojave 10.14.3
Impact: Processing malicious data may lead to unexpected application
termination
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8526: Linus Henze (pinauten.de)

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre
(NCSC)

Siri
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to initiate a Dictation
request without user authorization
Description: An API issue existed in the handling of dictation
requests. This issue was addressed with improved validation.
CVE-2019-8502: Luke Deshotels of North Carolina State University,
Jordan Beichler of North Carolina State University, William Enck of
North Carolina State University, Costin Carabaș of University
POLITEHNICA of Bucharest, and Răzvan Deaconescu of University
POLITEHNICA of Bucharest

Time Machine
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A local user may be able to execute arbitrary shell commands
Description: This issue was addressed with improved checks.
CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs

TrueTypeScaler
Available for: macOS Mojave 10.14.3
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero
Day Initiative

XPC
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: This issue was addressed with improved checks.
CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs

Additional recognition

Accounts
We would like to acknowledge Milan Stute of Secure Mobile Networking
Lab at Technische Universität Darmstadt for their assistance.

Books
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for
their assistance.

Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.

Mail
We would like to acknowledge Craig Young of Tripwire VERT and Hanno
Böck for their assistance.

Time Machine
We would like to acknowledge CodeColorist of Ant-Financial LightYear
Labs for their assistance.

Installation note:

macOS Mojave 10.14.4, Security Update 2019-002 High Sierra,
Security Update 2019-002 Sierra may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra的更多相关文章

  1. VMWare 14.1 15 Pro 安装 macOS Mojave 10.14.1系统 遇到的问题解决方案

    安装环境 WIN10VMware Workstation Pro 15.0.0 Build 10134415工具准备1.VMware Workstation Pro 15.0.0 Build 1013 ...

  2. OS + macOS Mojave 10.14.4 / sushi / ssh-keygen / ssh-copy-id

    s 系统版本: macOS 10.14.4 (18E226) 内核版本: Darwin 18.5.0 型号名称: Mac mini 2014 型号标识符: Macmini7,1 处理器名称: Inte ...

  3. macOS Mojave 10.14 无法安装brew缺少Command Line Tools for Xcode的解决办法

    问题描述: 首先我的版本是 Xcode 10.1 如果按照以前的方法安装brew 复制 1 /usr/bin/ruby -e "$(curl -fsSL https://raw.github ...

  4. 【Len's DMG】macOS Mojave 10.14.1 正式版 18B75 With Clover 4726原版镜像

    亮点:本次10.14.1正式版镜像更新config配置文件SMbios机型信息,让识别更趋于完善,自带去除10.14.1 USB端口限制补丁和最新USBInjectAll.kext,移除大量可能造成卡 ...

  5. macOS Mojave 10.14上安装iTunes12.6

    将一下内容保存为iTunes.scpt,并运行 set question to display dialog "确定是否删除 iTunes ?" buttons {"Ye ...

  6. Mac Mojave(10.14.1)执行Matlab的mex报错

    先装了matlab2018b,发现很频繁的crash,同时考虑到要跑的代码在>=2017a时就计算错误,于是转战matlab2016b matlab2016b安装后,执行mex -setup报错 ...

  7. Mac Mojave 10.14.5安装python tesserocr

    <1>先安装两个依赖库: brew install tesseract brew install leptonica 网上有些教程说要安装imagemagick,这里我觉得应该是不需要的, ...

  8. Apple macOS Mojave Intel Graphics Driver组件任意代码执行漏洞

    受影响系统:Apple macOS Mojave 10.14.5描述:CVE(CAN) ID: CVE-2019-8629 Apple macOS Mojave是苹果公司Mac电脑系列产品的操作系统. ...

  9. VMware虚拟机安装黑苹果MacOS Mojave系统详细教程

    更多资源请百度搜索:前端资源网 欢迎关注我的博客:www.w3h5.com 最近遇到一个H5页面的 iPhone X 刘海兼容问题.查到一个 XCode 编辑器,可以模拟 iPhone X 环境运行. ...

随机推荐

  1. redux源码解析-redux的架构

    redux很小的一个框架,是从flux演变过来的,尽管只有775行,但是它的功能很重要.react要应用于生成环境必须要用flux或者redux,redux是flux的进化产物,优于flux. 而且r ...

  2. Ecplise 快捷键笔记

    1.显示出这个方法被哪些方法调用(Ctrl+Alt+H) 选中方法名,点右键,选“open call hierarchy”,其快捷键“Ctrl+Alt+H”,Eclipse就会显示出这个方法被哪些方法 ...

  3. 【CF1119D】Frets On Fire

    题目大意:给定一个长度为 n 的序列,给定一个恒定的 w,求解 \[\sum\limits_{i=1}^{n}min\{d[i],w\}\] 题解:学会了对最小值和式的快速处理. 若在下标的角度考虑, ...

  4. sprintf() 处理 float类型的数字,保留小数位等。

    关于 sprintf()的百科地址: http://baike.baidu.com/view/1295144.htm sprintf(szText, "%[填空字元][宽度][.精度]f&q ...

  5. ElasticSearch6.1.1集群搭建

    其实早就想研究ES了,因为之前用solr,资料较少(这倒不是问题,有问题去官网读文档),貌似用的人比较少?(别打我)前几天去京东面试,我觉得有必要了解一下es,昨天晚上简单了解了官方文档,今天居然鼓捣 ...

  6. testng+maven一些坑

    1. [TestNGContentHandler] [WARN] It is strongly recommended to add "<!DOCTYPE suite SYSTEM & ...

  7. java抽象类和抽象方法

    首先应该明确一点的是,抽象方法必须定义在抽象类中. 先看一个抽象类的定义: public abstract class Animal { public abstract void eat(); pub ...

  8. HTML学习笔记Day2

    一.部分表单元素的使用 1.表单的作用:用来收集用户信息 2.表单元素 (1)表单控件: 单行文本框:<input  type="text" value="默认值& ...

  9. Vue(小案例)底部tab栏和顶部title栏的实现

    ---恢复内容开始--- 一.前言 1.底部tab栏实现 2.顶部title栏实现 二.主要内容   1.底部tab栏实现(将底部导航提取到公共的组件中) 具体效果:当点击切换不同的tab的时候,对应 ...

  10. loopback(回环)

    Loopback接口是一个虚拟网络接口,在不同的领域,其含义也大不一样. 1.  TCP/IP协议栈中的loopback接口 在TCP/IP中回环设备是一个通过软件实现的虚拟网络接口,它不与任何硬件相 ...