| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <D6BF72C2-5EB5-4B87-9DF4-49D02C51723D@lists.apple.com> Date: Mon, 16 Sep 2024 18:09:25 -0700 From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org> To: security-announce@...ts.apple.com Subject: [FD] APPLE-SA-09-16-2024-5 visionOS 2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-09-16-2024-5 visionOS 2 visionOS 2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121249. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. APFS Available for: Apple Vision Pro Impact: A malicious app with root privileges may be able to modify the contents of system files Description: The issue was addressed with improved checks. CVE-2024-40825: Pedro Tôrres (@t0rr3sp3dr0) Compression Available for: Apple Vision Pro Impact: Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files Description: A race condition was addressed with improved locking. CVE-2024-27876: Snoolie Keffaber (@0xilis) Game Center Available for: Apple Vision Pro Impact: An app may be able to access user-sensitive data Description: A file access issue was addressed with improved input validation. CVE-2024-40850: Denis Tokarev (@illusionofcha0s) ImageIO Available for: Apple Vision Pro Impact: Processing a maliciously crafted file may lead to unexpected app termination Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2024-27880: Junsung Lee ImageIO Available for: Apple Vision Pro Impact: Processing an image may lead to a denial-of-service Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero Day Initiative and an anonymous researcher IOSurfaceAccelerator Available for: Apple Vision Pro Impact: An app may be able to cause unexpected system termination Description: The issue was addressed with improved memory handling. CVE-2024-44169: Antonio Zekić Kernel Available for: Apple Vision Pro Impact: Network traffic may leak outside a VPN tunnel Description: A logic issue was addressed with improved checks. CVE-2024-44165: Andrew Lytvynov Kernel Available for: Apple Vision Pro Impact: An app may gain unauthorized access to Bluetooth Description: This issue was addressed through improved state management. CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven (@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef libxml2 Available for: Apple Vision Pro Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: An integer overflow was addressed through improved input validation. CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero mDNSResponder Available for: Apple Vision Pro Impact: An app may be able to cause a denial-of-service Description: A logic error was addressed with improved error handling. CVE-2024-44183: Olivier Levon Model I/O Available for: Apple Vision Pro Impact: Processing a maliciously crafted image may lead to a denial-of- service Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2023-5841 Notes Available for: Apple Vision Pro Impact: An app may be able to overwrite arbitrary files Description: This issue was addressed by removing the vulnerable code. CVE-2024-44167: ajajfxhj Presence Available for: Apple Vision Pro Impact: An app may be able to read sensitive data from the GPU memory Description: The issue was addressed with improved handling of caches. CVE-2024-40790: Max Thomas WebKit Available for: Apple Vision Pro Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: This issue was addressed through improved state management. WebKit Bugzilla: 268724 CVE-2024-40857: Ron Masas WebKit Available for: Apple Vision Pro Impact: A malicious website may exfiltrate data cross-origin Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. WebKit Bugzilla: 279452 CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India) Additional recognition Kernel We would like to acknowledge Braxton Anderson for their assistance. Maps We would like to acknowledge Kirin (@Pwnrin) for their assistance. Passwords We would like to acknowledge Richard Hyunho Im (@r1cheeta) for their assistance. TCC We would like to acknowledge Vaibhav Prajapati for their assistance. WebKit We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security), Johan Carlsson (joaxcar) for their assistance. Instructions on how to update visionOS are available at https://support.apple.com/HT214009 To check the software version on your Apple Vision Pro, open the Settings app and choose General > About. All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboyKsACgkQX+5d1TXa IvqFuxAAopj95HCodS5RObRJUENK6BWIMzT6ZZGjq3uSaglBxCsDWnnrPrhAwZAF Xqe1eCauwXsl9lDJJ56dv0z2C84TZp5UP+nM+saBAZs9fzj037YSXXa8lriMBxMl XNjF22l60+9s/5kwLZDackZI57et6mQbTEKrFf9ZzuaPpuMPuHgvPICEjDjUOhFN noozxvy+D6jT8uTCLtAAk/4/B8sbOUJ5zRbyy1jmifLNtWgymxbSeoF5kHYedvdZ r65m84Q0W6WuxfEa0syjrsPFbHaBKnhD0bPLYR/nd5d0DCv1e36nj4z4tTWkAMZz jutBmHvawNAPJixppNOCME3p0agFxnBQBVsk5hPUEpKw7wlBmGjcK+tzfrNnivA7 kJrFOS3LAp9jtTY4E4JobrpYAvKOAwE2W1uby41iKjNcnNYiUmnUvCKwA/3EkB7W atVnSHuZepKbB7RD9MNz+U/AASL9oGBocvvd/c2kln/RSnhAFGE+xxw+xgtqQzrs VKlczIRaSB/Ryk8+uFHcLZ09SZziq8CX/nr1NZjI73IhwDD6x1YGUbUqV+mXsWTV gwpqCyC9trJJ9Qxcz/pDBGRDCSNxG6x7iY4GTRVAjmmtDIPFxd1znjjVrF6bneV7 vKX/YadQpz7Pqem6I67GFQjQGDVOvlhJ0v35K8VCH0LlRWsl3CE= =iu8f -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists