APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update
2019-002 High Sierra, Security Update 2019-002 Sierra

macOS Mojave 10.14.4, Security Update 2019-002 High Sierra,
Security Update 2019-002 Sierra are now available and
addresses the following:

AppleGraphicsControl
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow was addressed with improved size
validation.
CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and
shrek_wzw of Qihoo 360 Nirvan Team

Bom
Available for: macOS Mojave 10.14.3
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved handling of file
metadata.
CVE-2019-6239: Ian Moorhouse and Michael Trimm

CFString
Available for: macOS Mojave 10.14.3
Impact: Processing a maliciously crafted string may lead to a denial
of service
Description: A validation issue was addressed with improved logic.
CVE-2019-8516: SWIPS Team of Frifee Inc.

configd
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8552: Mohamed Ghannam (@_simo36)

Contacts
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2019-8511: an anonymous researcher

CoreCrypto
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-8542: an anonymous researcher

DiskArbitration
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: An encrypted volume may be unmounted and remounted by a
different user without prompting for the password
Description: A logic issue was addressed with improved state
management.
CVE-2019-8522: Colin Meginnis (@falc420)

FaceTime
Available for: macOS Mojave 10.14.3
Impact: A user's video may not be paused in a FaceTime call if they
exit the FaceTime app while the call is ringing
Description: An issue existed in the pausing of FaceTime video. The
issue was resolved with improved logic.
CVE-2019-8550: Lauren Guzniczak of Keystone Academy

Feedback Assistant
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to gain root privileges
Description: A race condition was addressed with additional
validation.
CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs

Feedback Assistant
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: This issue was addressed with improved checks.
CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs

file
Available for: macOS Mojave 10.14.3
Impact: Processing a maliciously crafted file might disclose user
information
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-6237: an anonymous researcher

Graphics Drivers
Available for: macOS Mojave 10.14.3
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin
(@panicaII) and Junzhi Lu of Trend Micro Research working with Trend
Micro's Zero Day Initiative

iAP
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-8542: an anonymous researcher

IOGraphics
Available for: macOS Mojave 10.14.3
Impact: A Mac may not lock when disconnecting from an external
monitor
Description: A lock handling issue was addressed with improved lock
handling.
CVE-2019-8533: an anonymous researcher, James Eagan of Télécom
ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT

IOHIDFamily
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: A memory corruption issue was addressed with improved
state management.
CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team

IOKit
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: A local user may be able to read kernel memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8504: an anonymous researcher

IOKit SCSI
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: A buffer overflow was addressed with improved size
validation.
CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3
Impact: Mounting a maliciously crafted NFS network share may lead to
arbitrary code execution with system privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2019-8508: Dr. Silvio Cesare of InfoSect

Kernel
Available for: macOS Mojave 10.14.3
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved state
management.
CVE-2019-8514: Samuel Groß of Google Project Zero

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360  Nirvan Team

Kernel
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to read kernel memory
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-7293: Ned Williamson of Google

Kernel
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to determine kernel
memory layout
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)
CVE-2019-8510: Stefan Esser of Antid0te UG

Messages
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to view sensitive user information
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2019-8546: ChiYuan Chang

Notes
Available for: macOS Mojave 10.14.3
Impact: A local user may be able to view a user's locked notes
Description: An access issue was addressed with improved memory
management.
CVE-2019-8537: Greg Walker (gregwalker.us)

PackageKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved validation.
CVE-2019-8561: Jaron Bradley of Crowdstrike

Perl
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: Multiple issues in Perl
Description: Multiple issues in Perl were addressed in this update.
CVE-2018-12015: Jakub Wilk
CVE-2018-18311: Jayakrishna Menon
CVE-2018-18313: Eiichi Tsukata

Power Management
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: Multiple input validation issues existed in MIG
generated code. These issues were addressed with improved validation.
CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure
(ssd-disclosure.com)

QuartzCore
Available for: macOS Mojave 10.14.3
Impact: Processing malicious data may lead to unexpected application
termination
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8526: Linus Henze (pinauten.de)

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre
(NCSC)

Siri
Available for: macOS Mojave 10.14.3
Impact: A malicious application may be able to initiate a Dictation
request without user authorization
Description: An API issue existed in the handling of dictation
requests. This issue was addressed with improved validation.
CVE-2019-8502: Luke Deshotels of North Carolina State University,
Jordan Beichler of North Carolina State University, William Enck of
North Carolina State University, Costin Carabaș of University
POLITEHNICA of Bucharest, and Răzvan Deaconescu of University
POLITEHNICA of Bucharest

Time Machine
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.3
Impact: A local user may be able to execute arbitrary shell commands
Description: This issue was addressed with improved checks.
CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs

TrueTypeScaler
Available for: macOS Mojave 10.14.3
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero
Day Initiative

XPC
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3
Impact: A malicious application may be able to overwrite arbitrary
files
Description: This issue was addressed with improved checks.
CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs

Additional recognition

Accounts
We would like to acknowledge Milan Stute of Secure Mobile Networking
Lab at Technische Universität Darmstadt for their assistance.

Books
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for
their assistance.

Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.

Mail
We would like to acknowledge Craig Young of Tripwire VERT and Hanno
Böck for their assistance.

Time Machine
We would like to acknowledge CodeColorist of Ant-Financial LightYear
Labs for their assistance.

Installation note:

macOS Mojave 10.14.4, Security Update 2019-002 High Sierra,
Security Update 2019-002 Sierra may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra的更多相关文章

  1. VMWare 14.1 15 Pro 安装 macOS Mojave 10.14.1系统 遇到的问题解决方案

    安装环境 WIN10VMware Workstation Pro 15.0.0 Build 10134415工具准备1.VMware Workstation Pro 15.0.0 Build 1013 ...

  2. OS + macOS Mojave 10.14.4 / sushi / ssh-keygen / ssh-copy-id

    s 系统版本: macOS 10.14.4 (18E226) 内核版本: Darwin 18.5.0 型号名称: Mac mini 2014 型号标识符: Macmini7,1 处理器名称: Inte ...

  3. macOS Mojave 10.14 无法安装brew缺少Command Line Tools for Xcode的解决办法

    问题描述: 首先我的版本是 Xcode 10.1 如果按照以前的方法安装brew 复制 1 /usr/bin/ruby -e "$(curl -fsSL https://raw.github ...

  4. 【Len's DMG】macOS Mojave 10.14.1 正式版 18B75 With Clover 4726原版镜像

    亮点:本次10.14.1正式版镜像更新config配置文件SMbios机型信息,让识别更趋于完善,自带去除10.14.1 USB端口限制补丁和最新USBInjectAll.kext,移除大量可能造成卡 ...

  5. macOS Mojave 10.14上安装iTunes12.6

    将一下内容保存为iTunes.scpt,并运行 set question to display dialog "确定是否删除 iTunes ?" buttons {"Ye ...

  6. Mac Mojave(10.14.1)执行Matlab的mex报错

    先装了matlab2018b,发现很频繁的crash,同时考虑到要跑的代码在>=2017a时就计算错误,于是转战matlab2016b matlab2016b安装后,执行mex -setup报错 ...

  7. Mac Mojave 10.14.5安装python tesserocr

    <1>先安装两个依赖库: brew install tesseract brew install leptonica 网上有些教程说要安装imagemagick,这里我觉得应该是不需要的, ...

  8. Apple macOS Mojave Intel Graphics Driver组件任意代码执行漏洞

    受影响系统:Apple macOS Mojave 10.14.5描述:CVE(CAN) ID: CVE-2019-8629 Apple macOS Mojave是苹果公司Mac电脑系列产品的操作系统. ...

  9. VMware虚拟机安装黑苹果MacOS Mojave系统详细教程

    更多资源请百度搜索:前端资源网 欢迎关注我的博客:www.w3h5.com 最近遇到一个H5页面的 iPhone X 刘海兼容问题.查到一个 XCode 编辑器,可以模拟 iPhone X 环境运行. ...

随机推荐

  1. JetBrains全家桶破解思路(最新更新:2019-04-17)

    JetBrains全家桶破解思路(以DataGrip为例) 2019-04-17 add new key 2019-01-24 add new key and code 2018-12-24 add ...

  2. Http协议常见状态码

    206 - 断点下载时用到,客户端请求了一部分内容,服务器成功把这部分内容返回给它,这时候就是用这个状态. 301 - 永久跳转,原地址不存在了,url被指向到另一个地址.这个主要是搜索引擎相关,影响 ...

  3. win32-api: 让 static 控件中的水平横行,垂直居中。

    CreateWindowEx(....., SS_CENTER | SS_CENTERIMAGE); SS_CENTER  能让文字水平居中. SS_CENTERIMAGE 能让文字垂直居中. htt ...

  4. javascript 实现页面显示当前时间 动态读秒

    用户进入网站后,出于友好目的,可以添加一些欢迎语句,并且显示系统当前时间,动态读秒的操作.还是直接粘贴代码吧 <script type="text/javascript"&g ...

  5. 一个时间上的比较 if else

    if (w<b.w) ; if (w>b.w) ; if (w<b.w) ; else if (w>b.w) ; 对于任何情况,执行的次数都是一样.只是对于汇编的代码,第二个方 ...

  6. plink格式文件转化为vcf文件(VCF versions convert)

    plink1.9版本支持转化为VCFv4.2格式 plink2.0版本支持转化为VCFv4.3格式 两个版本用到的命令不一样 对于plink1.9版本,转化为vcf文件的命令行为: plink --b ...

  7. python字符串的常用方法

  8. 使用Microsoft Toolkit 2.5 激活windows server 2012 R2与office

    本人亲测可以激活windows server 2012 R2版 关于此软件介绍如下: 这是一款可以用来管理或者配置 Microsoft Office 和 Windows 的许可证(密钥)的工具,也用来 ...

  9. socket关闭状态问题

    下面是对 譬如  “CLOSE_WAIT” 现象的一些解释: 主动关闭方和被动方经历的状态:FIN_WAIT_1(主动关闭一方): 当SOCKET在ESTABLISHED状态时,它想主动关     闭 ...

  10. day11-(cookie&&session)

    回顾: response:响应 往浏览器写东西 响应行 操作状态码 常用方法: setStatus(int code): 1 2 3 响应头 格式: key:value(value可以是多个) 常用方 ...