Apple released a stunning assortment of security updates and operating system upgrades (which are also security updates) on September 16. First, though: what is the difference between a security update and an operating system upgrade?
Security update: a package of rewritten parts of an operating system to patch insecure parts, add new parts to make things more secure, or sometimes simply remove parts so they can’t be compromised.
Operating system upgrade: a complete replacement of the old operating system with a new one, with new capabilities, features, and — security updates.
This is a long post, as it reprints the security notifications Apple mailed out for the various updates and upgrades. You can scroll past things you don’t own and read about things you do own.
iOS and iPadOS updates and upgrades
APPLE-SA-09-16-2024-1 iOS 18 and iPadOS 18
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An attacker with physical access may be able to use Siri to
access sensitive user data
Description: This issue was addressed through improved state management.
CVE-2024-40840: Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain
College of Technology Bhopal India
iOS 18 and iPadOS 18 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121250.
Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to enumerate a user’s installed apps
Description: This issue was addressed with improved data protection.
CVE-2024-40830: Chloe Surett
Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An attacker with physical access to a locked device may be able
to Control Nearby Devices via accessibility features
Description: This issue was addressed through improved state management.
CVE-2024-44171: Jake Derouin
Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An attacker may be able to see recent photos without
authentication in Assistive Access
Description: This issue was addressed by restricting options offered on
a locked device.
CVE-2024-40852: Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain
College of Technology Bhopal India
Cellular
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: A remote attacker may be able to cause a denial-of-service
Description: This issue was addressed through improved state management.
CVE-2024-27874: Tuan D. Hoang
Compression
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Unpacking a maliciously crafted archive may allow an attacker to
write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Control Center
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to record the screen without an indicator
Description: The issue was addressed with improved checks.
CVE-2024-27869: an anonymous researcher
Core Bluetooth
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: A malicious Bluetooth input device may bypass pairing
Description: This issue was addressed through improved state management.
CVE-2024-44124: Daniele Antonioli
FileProvider
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved validation of
symlinks.
CVE-2024-44131: @08Tc3wBB of Jamf
Game Center
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative and an anonymous researcher
IOSurfaceAccelerator
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
libxml2
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: An integer overflow was addressed through improved input
validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
Mail Accounts
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)
mDNSResponder
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Model I/O
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may lead to a denial-of-
service
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-5841
NetworkExtension
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may gain unauthorized access to Local Network
Description: This issue was addressed through improved state management.
CVE-2024-44147: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
Notes
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
Printing
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An unencrypted document may be written to a temporary file when
using print preview
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-40826: an anonymous researcher
Safari Private Browsing
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Private Browsing tabs may be accessed without authentication
Description: An authentication issue was addressed with improved state
management.
CVE-2024-44202: Kenneth Chew
Safari Private Browsing
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Private Browsing tabs may be accessed without authentication
Description: This issue was addressed through improved state management.
CVE-2024-44127: Anamika Adhikari
Sandbox
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to leak sensitive user information
Description: This issue was addressed with improved data protection.
CVE-2024-40863: Csaba Fitzl (@theevilbit) of Offensive Security
Siri
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An attacker with physical access may be able to access contacts
from the lock screen
Description: The issue was addressed with improved checks.
CVE-2024-44139: Srijan Poudel
CVE-2024-44180: Bistrit Dahal
Siri
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data to a
more secure location.
CVE-2024-44170: K宝, LFY (@secsys), Smi1e, yulige, Cristian Dinca
(icmd.tech), Rodolphe BRUNETTI (@eisw0lf)
Transparency
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)
UIKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An attacker may be able to cause unexpected app termination
Description: The issue was addressed with improved bounds checks.
CVE-2024-27879: Justin Cohen
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to universal
cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This
was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)
Wi-Fi
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and later, iPad Pro 11-inch 1st generation and later,
iPad Air 3rd generation and later, iPad 7th generation and later, and
iPad mini 5th generation and later
Impact: An attacker may be able to force a device to disconnect from a
secure network
Description: An integrity issue was addressed with Beacon Protection.
CVE-2024-40856: Domien Schepers
Additional recognition
Core Bluetooth
We would like to acknowledge Nicholas C. of Onymos Inc. (onymos.com) for
their assistance.
Foundation
We would like to acknowledge Ostorlab for their assistance.
Installer
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi
Narain College of Technology Bhopal India, Christian Scalese, Ishan
Boda, Shane Gallagher, Chi Yuan Chang of ZUSO ART and taikosoup for
their assistance.
Kernel
We would like to acknowledge Braxton Anderson, Deutsche Telekom Security
GmbH sponsored by Bundesamt für Sicherheit in der Informationstechnik,
Fakhri Zulkifli (@d0lph1n98) of PixiePoint Security for their
assistance.
Magnifier
We would like to acknowledge Andr.Ess for their assistance.
Maps
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Messages
We would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup
for their assistance.
MobileLockdown
We would like to acknowledge Andr.Ess for their assistance.
Notifications
We would like to acknowledge an anonymous researcher for their
assistance.
Passwords
We would like to acknowledge Richard Hyunho Im (@r1cheeta) for their
assistance.
Photos
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi
Narain College of Technology Bhopal India, Harsh Tyagi, Kenneth Chew,
Leandro Chaves, Saurabh Kumar from Technocrat Institute of Technology
Bhopal, Shibin B Shaji, Vishnu Prasad P G, UST, Yusuf Kelany for their
assistance.
Safari
We would like to acknowledge Hafiizh and YoKo Kho (@yokoacc) of HakTrak,
James Lee (@Windowsrcer) for their assistance.
Shortcuts
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National
High School of Computer Science, Romania, Jacob Braun, an anonymous
researcher for their assistance.
Siri
We would like to acknowledge Rohan Paudel for their assistance.
Status Bar
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi
Narain College of Technology Bhopal India, Jacob Braun for their
assistance.
TCC
We would like to acknowledge Vaibhav Prajapati for their assistance.
UIKit
We would like to acknowledge Andr.Ess for their assistance.
Voice Memos
We would like to acknowledge Lisa B for their assistance.
WebKit
We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security),
Johan Carlsson (joaxcar) for their assistance.
Wi-Fi
We would like to acknowledge Antonio Zekic (@antoniozekic) and
ant4g0nist, Tim Michaud (@TimGMichaud) of Moveworks.ai for their
assistance.
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer’s Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple’s update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting
Don’t Install will present the option the next time you connect
your iOS device.
The automatic update process may take up to a week depending on
the day that iTunes or the device checks for updates. You may
manually obtain the update via the Check for Updates button
within iTunes, or the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
“iOS 18 and iPadOS 18”.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
APPLE-SA-09-16-2024-8 iOS 17.7 and iPadOS 17.7
iOS 17.7 and iPadOS 17.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121246.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An attacker with physical access to a locked device may be able
to Control Nearby Devices via accessibility features
Description: This issue was addressed through improved state management.
CVE-2024-44171: Jake Derouin
Compression
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: Unpacking a maliciously crafted archive may allow an attacker to
write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Game Center
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative, an anonymous researcher
IOSurfaceAccelerator
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
Mail Accounts
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)
mDNSResponder
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Safari Private Browsing
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: Private Browsing tabs may be accessed without authentication
Description: This issue was addressed through improved state management.
CVE-2024-44127: Anamika Adhikari
Shortcuts
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: A shortcut may output sensitive user data without consent
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44158: Kirin (@Pwnrin)
Shortcuts
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to observe data displayed to the user by
Shortcuts
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea
Sync Services
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed with improved checks.
CVE-2024-44164: Mickey Jin (@patch1t)
Transparency
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)
UIKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st
generation and later, iPad Air 3rd generation and later, iPad 6th
generation and later, and iPad mini 5th generation and later
Impact: An attacker may be able to cause unexpected app termination
Description: The issue was addressed with improved bounds checks.
CVE-2024-27879: Justin Cohen
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer’s Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple’s update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting
Don’t Install will present the option the next time you connect
your iOS device.
The automatic update process may take up to a week depending on
the day that iTunes or the device checks for updates. You may
manually obtain the update via the Check for Updates button
within iTunes, or the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
“iOS 17.7 and iPadOS 17.7”.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
macOS updates and upgrades
APPLE-SA-09-16-2024-2 macOS Sequoia 15
macOS Sequoia 15 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121238.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to leak sensitive user information
Description: The issue was addressed with improved checks.
CVE-2024-44129
Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved permissions logic.
CVE-2024-44153: Mickey Jin (@patch1t)
Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44188: Bohdan Stasiuk (@Bohdan_Stasiuk)
APFS
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious app with root privileges may be able to modify the
contents of system files
Description: The issue was addressed with improved checks.
CVE-2024-40825: Pedro Tôrres (@t0rr3sp3dr0)
APNs
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app with root privileges may be able to access private
information
Description: This issue was addressed with improved data protection.
CVE-2024-44130
App Intents
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access sensitive data logged when a
shortcut fails to launch another app
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44182: Kirin (@Pwnrin)
AppleGraphicsControl
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: A memory initialization issue was addressed with improved
memory handling.
CVE-2024-44154: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
AppleGraphicsControl
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted video file may lead to
unexpected app termination
Description: The issue was addressed with improved memory handling.
CVE-2024-40845: Pwn2car working with Trend Micro Zero Day Initiative
CVE-2024-40846: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed with improved checks.
CVE-2024-44164: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40837: Kirin (@Pwnrin)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with additional code-signing
restrictions.
CVE-2024-40847: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An attacker may be able to read sensitive information
Description: A downgrade issue was addressed with additional code-
signing restrictions.
CVE-2024-40848: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: A library injection issue was addressed with additional
restrictions.
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos
AppleVA
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An application may be able to read restricted memory
Description: The issue was addressed with improved memory handling.
CVE-2024-27860: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
CVE-2024-27861: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
AppleVA
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted video file may lead to
unexpected app termination
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2024-40841: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
AppSandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A camera extension may be able to access the internet
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-27795: Halle Winkler, Politepix @hallewinkler
AppSandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected files within an App
Sandbox container
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44135: Mickey Jin (@patch1t)
ArchiveService
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved handling of
symlinks.
CVE-2024-44132: Mickey Jin (@patch1t)
Automator
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An Automator Quick Action workflow may be able to bypass
Gatekeeper
Description: This issue was addressed by adding an additional prompt for
user consent.
CVE-2024-44128: Anton Boegler
bless
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44151: Mickey Jin (@patch1t)
Compression
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Unpacking a maliciously crafted archive may allow an attacker to
write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Control Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to record the screen without an indicator
Description: The issue was addressed with improved checks.
CVE-2024-27869: an anonymous researcher
Control Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Privacy Indicators for microphone or camera access may be
attributed incorrectly
Description: A logic issue was addressed with improved state management.
CVE-2024-27875: Yiğit Can YILMAZ (@yilmazcanyigit)
copyfile
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to break out of its sandbox
Description: A logic issue was addressed with improved file handling.
CVE-2024-44146: an anonymous researcher
CUPS
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-4504
Disk Images
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved validation of file
attributes.
CVE-2024-44148: an anonymous researcher
Dock
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by removing sensitive data.
CVE-2024-44177: an anonymous researcher
FileProvider
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved validation of
symlinks.
CVE-2024-44131: @08Tc3wBB of Jamf
Game Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
Image Capture
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access a user’s Photos Library
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40831: Mickey Jin (@patch1t)
ImageIO
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative, an anonymous researcher
Installer
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to gain root privileges
Description: The issue was addressed with improved checks.
CVE-2024-40861: Mickey Jin (@patch1t)
Intel Graphics Driver
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted texture may lead to unexpected
app termination
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
Intel Graphics Driver
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted texture may lead to unexpected
app termination
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
IOSurfaceAccelerator
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
libxml2
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: An integer overflow was addressed through improved input
validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
Mail Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)
Maps
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to read sensitive location information
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University
mDNSResponder
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Model I/O
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted image may lead to a denial-of-
service
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-5841
Music
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-27858: Meng Zhang (鲸落) of NorthSea, Csaba Fitzl (@theevilbit)
of Offensive Security
Notes
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
Notification Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious app may be able to access notifications from the
user’s device
Description: A privacy issue was addressed by moving sensitive data to a
protected location.
CVE-2024-40838: Brian McNulty, Cristian Dinca of “Tudor Vianu” National
High School of Computer Science, Romania, Vaibhav Prajapati
NSColor
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2024-44186: an anonymous researcher
OpenSSH
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Multiple issues in OpenSSH
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-39894
PackageKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved validation of
symlinks.
CVE-2024-44178: Mickey Jin (@patch1t)
Printing
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An unencrypted document may be written to a temporary file when
using print preview
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-40826: an anonymous researcher
Quick Look
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44149: Wojciech Regula of SecuRing (wojciechregula.blog), Csaba
Fitzl (@theevilbit) of OffSec
Safari
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Visiting a malicious website may lead to user interface spoofing
Description: This issue was addressed through improved state management.
CVE-2024-40797: Rifa’i Rejal Maynando
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious application may be able to leak sensitive user
information
Description: The issue was addressed with improved checks.
CVE-2024-44125: Zhongquan Li (@Guluisacat)
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious application may be able to access private
information
Description: The issue was addressed with improved checks.
CVE-2024-44163: Zhongquan Li (@Guluisacat)
Security Initialization
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito
(@pvieito), an anonymous researcher
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40837: Kirin (@Pwnrin)
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A shortcut may output sensitive user data without consent
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44158: Kirin (@Pwnrin)
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to observe data displayed to the user by
Shortcuts
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea
Siri
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data to a
more secure location.
CVE-2024-44170: K宝, LFY (@secsys), Smi1e, yulige, Cristian Dinca
(icmd.tech), Rodolphe BRUNETTI (@eisw0lf)
sudo
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2024-40860: Arsenii Kostromin (0x3c3e)
System Settings
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-44152: Kirin (@Pwnrin)
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University
System Settings
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to read arbitrary files
Description: A path handling issue was addressed with improved
validation.
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)
TCC
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: On MDM managed devices, an app may be able to bypass certain
Privacy preferences
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44133: Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft
Transparency
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)
TV App
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40859: Csaba Fitzl (@theevilbit) of Offensive Security
Vim
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-41957
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to universal
cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved UI.
WebKit Bugzilla: 279451
CVE-2024-40866: Hafiizh and YoKo Kho (@yokoacc) of HakTrak
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This
was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A non-privileged user may be able to modify restricted network
settings
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40770: Yiğit Can YILMAZ (@yilmazcanyigit)
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2024-23237: Charly Suchanek
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to read sensitive location information
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44134
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An attacker may be able to force a device to disconnect from a
secure network
Description: An integrity issue was addressed with Beacon Protection.
CVE-2024-40856: Domien Schepers
WindowServer
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A logic issue existed where a process may be able to capture
screen contents without user consent
Description: The issue was addressed with improved checks.
CVE-2024-44189: Tim Clem
XProtect
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved validation of
environment variables.
CVE-2024-40842: Gergely Kalman (@gergely_kalman)
XProtect
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac
Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and
later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2024-40843: Koh M. Nakagawa (@tsunek0h)
Additional recognition
Admin Framework
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
Airport
We would like to acknowledge David Dudok de Wit, Yiğit Can YILMAZ
(@yilmazcanyigit) for their assistance.
APFS
We would like to acknowledge Georgi Valkov of httpstorm.com for their
assistance.
App Store
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
AppKit
We would like to acknowledge @08Tc3wBB of Jamf for their assistance.
Apple Neural Engine
We would like to acknowledge Jiaxun Zhu (@svnswords) and Minghao Lin
(@Y1nKoc) for their assistance.
Automator
We would like to acknowledge Koh M. Nakagawa (@tsunek0h) for their
assistance.
Core Bluetooth
We would like to acknowledge Nicholas C. of Onymos Inc. (onymos.com) for
their assistance.
Core Services
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National
High School of Computer Science, Romania, Kirin (@Pwnrin) and 7feilee,
Snoolie Keffaber (@0xilis), Tal Lossos, Zhongquan Li (@Guluisacat) for
their assistance.
Disk Utility
We would like to acknowledge Csaba Fitzl (@theevilbit) of Kandji for
their assistance.
FileProvider
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Foundation
We would like to acknowledge Ostorlab for their assistance.
Kernel
We would like to acknowledge Braxton Anderson, Fakhri Zulkifli
(@d0lph1n98) of PixiePoint Security for their assistance.
libxpc
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:
@pajp@blog.dll.nu) for their assistance.
LLVM
We would like to acknowledge Victor Duta of Universiteit Amsterdam,
Fabio Pagani of University of California, Santa Barbara, Cristiano
Giuffrida of Universiteit Amsterdam, Marius Muench, and Fabian Freyer
for their assistance.
Maps
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Music
We would like to acknowledge Khiem Tran of databaselog.com/khiemtran, K宝
and LFY@secsys from Fudan University, Yiğit Can YILMAZ (@yilmazcanyigit)
for their assistance.
Notifications
We would like to acknowledge an anonymous researcher for their
assistance.
PackageKit
We would like to acknowledge Csaba Fitzl (@theevilbit) of OffSec, Mickey
Jin (@patch1t), Zhongquan Li (@Guluisacat) for their assistance.
Passwords
We would like to acknowledge Richard Hyunho Im (@r1cheeta) for their
assistance.
Photos
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi
Narain College of Technology Bhopal India, Harsh Tyagi, Leandro Chaves
for their assistance.
Podcasts
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for
their assistance.
Quick Look
We would like to acknowledge Zhipeng Huo (@R3dF09) of Tencent Security
Xuanwu Lab (xlab.tencent.com) for their assistance.
Safari
We would like to acknowledge Hafiizh and YoKo Kho (@yokoacc) of HakTrak,
Junsung Lee, Shaheen Fazim for their assistance.
Sandbox
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National
High School of Computer Science, Romania, Kirin (@Pwnrin) of NorthSea,
Wojciech Regula of SecuRing (wojciechregula.blog), Yiğit Can YILMAZ
(@yilmazcanyigit) for their assistance.
Screen Capture
We would like to acknowledge Joshua Jewett (@JoshJewett33), Yiğit Can
YILMAZ (@yilmazcanyigit), an anonymous researcher for their assistance.
Shortcuts
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National
High School of Computer Science, Romania, Jacob Braun, an anonymous
researcher for their assistance.
Siri
We would like to acknowledge Rohan Paudel for their assistance.
SystemMigration
We would like to acknowledge Jamey Wicklund, Kevin Jansen, an anonymous
researcher for their assistance.
TCC
We would like to acknowledge Noah Gregory (wts.dev), Vaibhav Prajapati
for their assistance.
UIKit
We would like to acknowledge Andr.Ess for their assistance.
Voice Memos
We would like to acknowledge Lisa B for their assistance.
WebKit
We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security),
Johan Carlsson (joaxcar) for their assistance.
Wi-Fi
We would like to acknowledge Antonio Zekic (@antoniozekic) and
ant4g0nist, Tim Michaud (@TimGMichaud) of Moveworks.ai for their
assistance.
WindowServer
We would like to acknowledge Felix Kratz, an anonymous researcher for
their assistance.
macOS Sequoia 15 may be obtained from the Mac App Store or Apple’s
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
APPLE-SA-09-16-2024-9 macOS Sonoma 14.7
macOS Sonoma 14.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121247.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Accounts
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved permissions logic.
CVE-2024-44153: Mickey Jin (@patch1t)
App Intents
Available for: macOS Sonoma
Impact: An app may be able to access sensitive data logged when a
shortcut fails to launch another app
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44182: Kirin (@Pwnrin)
AppleGraphicsControl
Available for: macOS Sonoma
Impact: Processing a maliciously crafted video file may lead to
unexpected app termination
Description: The issue was addressed with improved memory handling.
CVE-2024-40846: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
CVE-2024-40845: Pwn2car working with Trend Micro Zero Day Initiative
AppleGraphicsControl
Available for: macOS Sonoma
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: A memory initialization issue was addressed with improved
memory handling.
CVE-2024-44154: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with additional code-signing
restrictions.
CVE-2024-40847: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed with improved checks.
CVE-2024-44164: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: A library injection issue was addressed with additional
restrictions.
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos
AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: An attacker may be able to read sensitive information
Description: A downgrade issue was addressed with additional code-
signing restrictions.
CVE-2024-40848: Mickey Jin (@patch1t)
AppleVA
Available for: macOS Sonoma
Impact: Processing a maliciously crafted video file may lead to
unexpected app termination
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2024-40841: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
AppSandbox
Available for: macOS Sonoma
Impact: An app may be able to access protected files within an App
Sandbox container
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44135: Mickey Jin (@patch1t)
Automator
Available for: macOS Sonoma
Impact: An Automator Quick Action workflow may be able to bypass
Gatekeeper
Description: This issue was addressed by adding an additional prompt for
user consent.
CVE-2024-44128: Anton Boegler
bless
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44151: Mickey Jin (@patch1t)
Compression
Available for: macOS Sonoma
Impact: Unpacking a maliciously crafted archive may allow an attacker to
write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Dock
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by removing sensitive data.
CVE-2024-44177: an anonymous researcher
Game Center
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: macOS Sonoma
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: macOS Sonoma
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative, an anonymous researcher
Intel Graphics Driver
Available for: macOS Sonoma
Impact: Processing a maliciously crafted texture may lead to unexpected
app termination
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
Intel Graphics Driver
Available for: macOS Sonoma
Impact: Processing a maliciously crafted texture may lead to unexpected
app termination
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
IOSurfaceAccelerator
Available for: macOS Sonoma
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: macOS Sonoma
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Mail Accounts
Available for: macOS Sonoma
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)
Maps
Available for: macOS Sonoma
Impact: An app may be able to read sensitive location information
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University
mDNSResponder
Available for: macOS Sonoma
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Notes
Available for: macOS Sonoma
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
PackageKit
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved validation of
symlinks.
CVE-2024-44178: Mickey Jin (@patch1t)
Safari
Available for: macOS Sonoma
Impact: Visiting a malicious website may lead to user interface spoofing
Description: This issue was addressed through improved state management.
CVE-2024-40797: Rifa’i Rejal Maynando
Sandbox
Available for: macOS Sonoma
Impact: A malicious application may be able to access private
information
Description: The issue was addressed with improved checks.
CVE-2024-44163: Zhongquan Li (@Guluisacat)
Sandbox
Available for: macOS Sonoma
Impact: A malicious application may be able to leak sensitive user
information
Description: The issue was addressed with improved checks.
CVE-2024-44125: Zhongquan Li (@Guluisacat)
Security Initialization
Available for: macOS Sonoma
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito
(@pvieito), an anonymous researcher
Shortcuts
Available for: macOS Sonoma
Impact: A shortcut may output sensitive user data without consent
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44158: Kirin (@Pwnrin)
Shortcuts
Available for: macOS Sonoma
Impact: An app may be able to observe data displayed to the user by
Shortcuts
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea
sudo
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2024-40860: Arsenii Kostromin (0x3c3e)
System Settings
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University
System Settings
Available for: macOS Sonoma
Impact: An app may be able to read arbitrary files
Description: A path handling issue was addressed with improved
validation.
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)
Transparency
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)
Additional recognition
Airport
We would like to acknowledge David Dudok de Wit for their assistance.
macOS Sonoma 14.7 may be obtained from the Mac App Store or Apple’s
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
APPLE-SA-09-16-2024-10 macOS Ventura 13.7
macOS Ventura 13.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121234.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Accounts
Available for: macOS Ventura
Impact: An app may be able to leak sensitive user information
Description: The issue was addressed with improved checks.
CVE-2024-44129
App Intents
Available for: macOS Ventura
Impact: An app may be able to access sensitive data logged when a
shortcut fails to launch another app
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44182: Kirin (@Pwnrin)
AppKit
Available for: macOS Ventura
Impact: An unprivileged app may be able to log keystrokes in other apps
including those using secure input mode
Description: A logic issue was addressed with improved restrictions.
CVE-2024-27886: Stephan Casas, an anonymous researcher
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with additional code-signing
restrictions.
CVE-2024-40847: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to bypass Privacy preferences
Description: A downgrade issue was addressed with additional code-
signing restrictions.
CVE-2024-40814: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed with improved checks.
CVE-2024-44164: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file system
Description: A library injection issue was addressed with additional
restrictions.
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos
AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An attacker may be able to read sensitive information
Description: A downgrade issue was addressed with additional code-
signing restrictions.
CVE-2024-40848: Mickey Jin (@patch1t)
Automator
Available for: macOS Ventura
Impact: An Automator Quick Action workflow may be able to bypass
Gatekeeper
Description: This issue was addressed by adding an additional prompt for
user consent.
CVE-2024-44128: Anton Boegler
bless
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file system
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44151: Mickey Jin (@patch1t)
Compression
Available for: macOS Ventura
Impact: Unpacking a maliciously crafted archive may allow an attacker to
write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Dock
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by removing sensitive data.
CVE-2024-44177: an anonymous researcher
Game Center
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: macOS Ventura
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative, an anonymous researcher
Intel Graphics Driver
Available for: macOS Ventura
Impact: Processing a maliciously crafted texture may lead to unexpected
app termination
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
Intel Graphics Driver
Available for: macOS Ventura
Impact: Processing a maliciously crafted texture may lead to unexpected
app termination
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative
IOSurfaceAccelerator
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: macOS Ventura
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Mail Accounts
Available for: macOS Ventura
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)
Maps
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University
mDNSResponder
Available for: macOS Ventura
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Notes
Available for: macOS Ventura
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
PackageKit
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved validation of
symlinks.
CVE-2024-44178: Mickey Jin (@patch1t)
Safari
Available for: macOS Ventura
Impact: Visiting a malicious website may lead to user interface spoofing
Description: This issue was addressed through improved state management.
CVE-2024-40797: Rifa’i Rejal Maynando
Sandbox
Available for: macOS Ventura
Impact: A malicious application may be able to access private
information
Description: The issue was addressed with improved checks.
CVE-2024-44163: Zhongquan Li (@Guluisacat)
Shortcuts
Available for: macOS Ventura
Impact: A shortcut may output sensitive user data without consent
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44158: Kirin (@Pwnrin)
Shortcuts
Available for: macOS Ventura
Impact: An app may be able to observe data displayed to the user by
Shortcuts
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea
System Settings
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University
System Settings
Available for: macOS Ventura
Impact: An app may be able to read arbitrary files
Description: A path handling issue was addressed with improved
validation.
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)
Transparency
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)
Additional recognition
Airport
We would like to acknowledge David Dudok de Wit for their assistance.
macOS Ventura 13.7 may be obtained from the Mac App Store or Apple’s
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
watchOS 11
APPLE-SA-09-16-2024-4 watchOS 11
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Accessibility
Available for: Apple Watch Series 6 and later
Impact: An attacker with physical access to a locked device may be able
to Control Nearby Devices via accessibility features
Description: This issue was addressed through improved state management.
CVE-2024-44171: Jake Derouin
watchOS 11 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121240.
Game Center
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: Apple Watch Series 6 and later
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative, an anonymous researcher
IOSurfaceAccelerator
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: Apple Watch Series 6 and later
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
libxml2
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: An integer overflow was addressed through improved input
validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
mDNSResponder
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Siri
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data to a
more secure location.
CVE-2024-44170: K宝, LFY (@secsys), Smi1e, yulige, Cristian Dinca
(icmd.tech), Rodolphe BRUNETTI (@eisw0lf)
WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to universal
cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
WebKit
Available for: Apple Watch Series 6 and later
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This
was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)
Additional recognition
Kernel
We would like to acknowledge Braxton Anderson, Fakhri Zulkifli
(@d0lph1n98) of PixiePoint Security for their assistance.
Maps
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Shortcuts
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National
High School of Computer Science, Romania, Jacob Braun, an anonymous
researcher for their assistance.
Siri
We would like to acknowledge Rohan Paudel, an anonymous researcher for
their assistance.
Voice Memos
We would like to acknowledge Lisa B for their assistance.
WebKit
We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security),
Johan Carlsson (joaxcar) for their assistance.
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/108926 To check the version
on your Apple Watch, open the Apple Watch app on your iPhone and
select “My Watch > General > About”.
Alternatively, on your watch, select “My Watch > General > About”.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
tvOS 18
APPLE-SA-09-16-2024-3 tvOS 18
tvOS 18 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121248.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Game Center
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative, an anonymous researcher
IOSurfaceAccelerator
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
libxml2
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: An integer overflow was addressed through improved input
validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
mDNSResponder
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Model I/O
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing a maliciously crafted image may lead to a denial-of-
service
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-5841
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing maliciously crafted web content may lead to universal
cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This
was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)
Wi-Fi
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An attacker may be able to force a device to disconnect from a
secure network
Description: An integrity issue was addressed with Beacon Protection.
CVE-2024-40856: Domien Schepers
Additional recognition
Kernel
We would like to acknowledge Braxton Anderson, Fakhri Zulkifli
(@d0lph1n98) of PixiePoint Security for their assistance.
WebKit
We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security),
Johan Carlsson (joaxcar) for their assistance.
Wi-Fi
We would like to acknowledge Antonio Zekic (@antoniozekic) and
ant4g0nist, Tim Michaud (@TimGMichaud) of Moveworks.ai for their
assistance.
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting “Settings ->
System -> Software Update -> Update Software.” To check the current
version of software, select “Settings -> General -> About.”
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
visionOS 2
APPLE-SA-09-16-2024-5 visionOS 2
visionOS 2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121249.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
APFS
Available for: Apple Vision Pro
Impact: A malicious app with root privileges may be able to modify the
contents of system files
Description: The issue was addressed with improved checks.
CVE-2024-40825: Pedro Tôrres (@t0rr3sp3dr0)
Compression
Available for: Apple Vision Pro
Impact: Unpacking a maliciously crafted archive may allow an attacker to
write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Game Center
Available for: Apple Vision Pro
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input
validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
ImageIO
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted file may lead to unexpected app
termination
Description: An out-of-bounds read issue was addressed with improved
input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero
Day Initiative and an anonymous researcher
IOSurfaceAccelerator
Available for: Apple Vision Pro
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: Apple Vision Pro
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Kernel
Available for: Apple Vision Pro
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
libxml2
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: An integer overflow was addressed through improved input
validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
mDNSResponder
Available for: Apple Vision Pro
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Model I/O
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted image may lead to a denial-of-
service
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-5841
Notes
Available for: Apple Vision Pro
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
Presence
Available for: Apple Vision Pro
Impact: An app may be able to read sensitive data from the GPU memory
Description: The issue was addressed with improved handling of caches.
CVE-2024-40790: Max Thomas
WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to universal
cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
WebKit
Available for: Apple Vision Pro
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This
was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)
Additional recognition
Kernel
We would like to acknowledge Braxton Anderson for their assistance.
Maps
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Passwords
We would like to acknowledge Richard Hyunho Im (@r1cheeta) for their
assistance.
TCC
We would like to acknowledge Vaibhav Prajapati for their assistance.
WebKit
We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security),
Johan Carlsson (joaxcar) for their assistance.
Instructions on how to update visionOS are available at
https://support.apple.com/HT214009 To check the software version
on your Apple Vision Pro, open the Settings app and choose General >
About.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
Safari 18 (Safari is included with the previous security updates and upgrades)
APPLE-SA-09-16-2024-6 Safari 18
Safari 18 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121241.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
WebKit
Available for: macOS Ventura and macOS Sonoma
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved UI.
WebKit Bugzilla: 279451
CVE-2024-40866: Hafiizh and YoKo Kho (@yokoacc) of HakTrak
WebKit
Available for: macOS Ventura and macOS Sonoma
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This
was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)
WebKit
Available for: macOS Ventura and macOS Sonoma
Impact: Processing maliciously crafted web content may lead to universal
cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
Additional recognition
Safari
We would like to acknowledge Hafiizh and YoKo Kho (@yokoacc) of HakTrak
for their assistance.
Safari 18 may be obtained from the Mac App Store.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.
Xcode 16 (Xcode is used by programmers and developers)
APPLE-SA-09-16-2024-7 Xcode 16
Xcode 16 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121239.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
IDE Documentation
Available for: macOS Sonoma 14.5 and later
Impact: A malicious application may gain access to a user’s Keychain
items
Description: This issue was addressed by enabling hardened runtime.
CVE-2024-44162: Mickey Jin (@patch1t)
IDE Tools
Available for: macOS Sonoma 14.5 and later
Impact: An attacker may be able to determine the Apple ID of the owner
of the computer
Description: A privacy issue was addressed by removing sensitive data.
CVE-2024-40862: Guilherme Rambo of Best Buddy Apps (rambo.codes)
Kernel
Available for: macOS Sonoma 14.5 and later
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven
(@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
Additional recognition
Reality Composer Pro
We would like to acknowledge Ron Masas of BreakPoint.sh for their
assistance.
Swift
We would like to acknowledge Banavath Aravind for their assistance.
Xcode 16 may be obtained from:
https://developer.apple.com/xcode/downloads/ To check that the Xcode
has been updated: * Select Xcode in the menu bar * Select About
Xcode * The version after applying this update will be “Xcode 16”.
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.