Beberapa isu keselamatan diperbetul dan ditambah baik kepada pengguna macOS 10.13.6 dan 10.14.6.

Selain melepaskan kemas kini terbaru kepada pengguna versi macOS Catalina 10.15.1, Apple juga turut melepaskan kemas kini kepada pengguna macOS terdahulu iaitu macOS High Sierra dan Mojave.

Secara khususnya, kemas kini untuk versi macOS High Sierra 10.13.6 dan macOS Mojave 10.14.6 adalah bagi menambah baik ciri keselamatan kedua-dua versi macOS tersebut.

Berikut adalah senarai penuh kandungan kemas kini keselamatan bagi macOS High Sierra dan Mojave (termasuk macOS Catalina):-

Accounts

  • Available for: macOS Catalina 10.15
  • Impact: A remote attacker may be able to leak memory
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2019-8787: Steffen Klee of Secure Mobile Networking Lab at Technische Universität Darmstadt

App Store

  • Available for: macOS Catalina 10.15
  • Impact: A local attacker may be able to login to the account of a previously logged in user without valid credentials.
  • Description: An authentication issue was addressed with improved state management.
  • CVE-2019-8803: Kiyeon An, 차민규 (CHA Minkyu)

AppleGraphicsControl

  • Available for: macOS Catalina 10.15
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization.
  • CVE-2019-8817: Arash Tohidi

AppleGraphicsControl

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8716: Zhiyi Zhang of Codesafe Team of Legendsec at Qi’anxin Group, Zhuo Liang of Qihoo 360 Vulcan Team

Associated Domains

  • Available for: macOS Catalina 10.15
  • Impact: Improper URL processing may lead to data exfiltration
  • Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.
  • CVE-2019-8788: Juha Lindstedt of Pakastin, Mirko Tanania, Rauli Rikama of Zero Keyboard Ltd

Audio

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved state management.
  • CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab

Audio

  • Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8785: Ian Beer of Google Project Zero
  • CVE-2019-8797: 08Tc3wBB working with SSD Secure Disclosure

Books

  • Available for: macOS Catalina 10.15
  • Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information
  • Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.
  • CVE-2019-8789: Gertjan Franken of imec-DistriNet, KU Leuven

Contacts

  • Available for: macOS Catalina 10.15
  • Impact: Processing a maliciously contact may lead to UI spoofing
  • Description: An inconsistent user interface issue was addressed with improved state management.
  • CVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com)

CUPS

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: An attacker in a privileged network position may be able to leak sensitive user information
  • Description: An input validation issue was addressed with improved input validation.
  • CVE-2019-8736: Pawel Gocyla of ING Tech Poland (ingtechpoland.com)

CUPS

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: Processing a maliciously crafted string may lead to heap corruption
  • Description: A memory consumption issue was addressed with improved memory handling.
  • CVE-2019-8767: Stephen Zeisberg

CUPS

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: An attacker in a privileged position may be able to perform a denial of service attack
  • Description: A denial of service issue was addressed with improved validation.
  • CVE-2019-8737: Pawel Gocyla of ING Tech Poland (ingtechpoland.com)

File Quarantine

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: A malicious application may be able to elevate privileges
  • Description: This issue was addressed by removing the vulnerable code.
  • CVE-2019-8509: CodeColorist of Ant-Financial LightYear Labs

File System Events

  • Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8798: ABC Research s.r.o. working with Trend Micro’s Zero Day Initiative

Graphics

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: Processing a malicious shader may result in unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved input validation.
  • CVE-2018-12152: Piotr Bania of Cisco Talos
  • CVE-2018-12153: Piotr Bania of Cisco Talos
  • CVE-2018-12154: Piotr Bania of Cisco Talos

Graphics Driver

  • Available for: macOS Catalina 10.15
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8784: Vasiliy Vasilyev and Ilya Finogeev of Webinar, LLC

Intel Graphics Driver

  • Available for: macOS Catalina 10.15
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8807: Yu Wang of Didi Research America

IOGraphics

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: A local user may be able to cause unexpected system termination or read kernel memory
  • Description: An out-of-bounds read was addressed with improved bounds checking.
  • CVE-2019-8759: another of 360 Nirvan Team

iTunes

  • Available for: macOS Catalina 10.15
  • Impact: Running the iTunes installer in an untrusted directory may result in arbitrary code execution
  • Description: A dynamic library loading issue existed in iTunes setup. This was addressed with improved path searching.
  • CVE-2019-8801: Hou JingYi (@hjy79425575) of Qihoo 360 CERT

Kernel

  • Available for: macOS Catalina 10.15
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization.
  • CVE-2019-8794: 08Tc3wBB working with SSD Secure Disclosure

Kernel

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8786: an anonymous researcher

Kernel

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: A malicious application may be able to determine kernel memory layout
  • Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.
  • CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team

libxml2

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: Multiple issues in libxml2
  • Description: Multiple memory corruption issues were addressed with improved input validation.
  • CVE-2019-8749: found by OSS-Fuzz
  • CVE-2019-8756: found by OSS-Fuzz

libxslt

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: Multiple issues in libxslt
  • Description: Multiple memory corruption issues were addressed with improved input validation.
  • CVE-2019-8750: found by OSS-Fuzz

manpages

  • Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15
  • Impact: A malicious application may be able to gain root privileges
  • Description: A validation issue was addressed with improved logic.
  • CVE-2019-8802: Csaba Fitzl (@theevilbit)

PluginKit

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: A local user may be able to check for the existence of arbitrary files
  • Description: A logic issue was addressed with improved restrictions.
  • CVE-2019-8708: an anonymous researcher

PluginKit

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2019-8715: an anonymous researcher

System Extensions

  • Available for: macOS Catalina 10.15
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.
  • CVE-2019-8805: Scott Knight (@sdotknight) of VMware Carbon Black TAU

UIFoundation

  • Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
  • Impact: Parsing a maliciously crafted text file may lead to disclosure of user information
  • Description: This issue was addressed with improved checks.
  • CVE-2019-8761: Renee Trisberg of SpectX

Anda boleh mengemas kini macOS anda terus dari Mac atau memuat turun fail kemas kini keselamatan tersebut secara berasangan di laman muka Download Security Update 2019-006 (High Sierra) yang bersaiz 1.92GB atau Download Security Update 2019-001 (Mojave) yang bersaiz 1.56GB.

Atau muat turun fail kemas kini Download macOS Catalina 10.15.1 Update (4.53GB) bagi pengguna Catalina.

LEAVE A REPLY

Please enter your comment!
Please enter your name here