| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <403F47D7-A367-4D5D-9727-5D201C87696D@lists.apple.com> Date: Fri, 12 Dec 2025 14:56:36 -0700 From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org> To: security-announce@...ts.apple.com Subject: [FD] APPLE-SA-12-12-2025-4 macOS Sequoia 15.7.3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-12-12-2025-4 macOS Sequoia 15.7.3 macOS Sequoia 15.7.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/125887. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleJPEG Available for: macOS Sequoia Impact: Processing a file may lead to memory corruption Description: The issue was addressed with improved bounds checks. CVE-2025-43539: Michael Reeves (@IntegralPilot) AppleMobileFileIntegrity Available for: macOS Sequoia Impact: An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges Description: The issue was addressed by adding additional logic. CVE-2025-43320: Claudio Bozzato and Francesco Benvenuto of Cisco Talos AppleMobileFileIntegrity Available for: macOS Sequoia Impact: An app may be able to access user-sensitive data Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. CVE-2025-43522: an anonymous researcher AppleMobileFileIntegrity Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. CVE-2025-43521: an anonymous researcher AppleMobileFileIntegrity Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A permissions issue was addressed with additional restrictions. CVE-2025-43519: an anonymous researcher CVE-2025-43523: an anonymous researcher AppSandbox Available for: macOS Sequoia Impact: An app may be able to access protected user data Description: A logic issue was addressed with improved file handling. CVE-2025-46289: an anonymous researcher Audio Available for: macOS Sequoia Impact: An app may be able to cause a denial-of-service Description: The issue was addressed with improved input validation. CVE-2025-43482: Michael Reeves (@IntegralPilot), Jex Amro Call History Available for: macOS Sequoia Impact: An app may be able to access protected user data Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2025-43517: Wojciech Regula of SecuRing (wojciechregula.blog) Call History Available for: macOS Sequoia Impact: An attacker may be able to spoof their FaceTime caller ID Description: An inconsistent user interface issue was addressed with improved state management. CVE-2025-46287: an anonymous researcher, Riley Walz curl Available for: macOS Sequoia Impact: Multiple issues in curl Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2024-7264 CVE-2025-9086 FaceTime Available for: macOS Sequoia Impact: Password fields may be unintentionally revealed when remotely controlling a device over FaceTime Description: This issue was addressed with improved state management. CVE-2025-43542: Yiğit Ocak Foundation Available for: macOS Sequoia Impact: An app may be able to inappropriately access files through the spellcheck API Description: A logic issue was addressed with improved checks. CVE-2025-43518: Noah Gregory (wts.dev) Foundation Available for: macOS Sequoia Impact: Processing malicious data may lead to unexpected app termination Description: A memory corruption issue was addressed with improved bounds checking. CVE-2025-43532: Andrew Calvano and Lucas Pinheiro of Meta Product Security Kernel Available for: macOS Sequoia Impact: An app may be able to elevate privileges Description: A logic issue was addressed with improved checks. CVE-2025-43512: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs Kernel Available for: macOS Sequoia Impact: An app may be able to gain root privileges Description: An integer overflow was addressed by adopting 64-bit timestamps. CVE-2025-46285: Kaitao Xie and Xiaolong Bai of Alibaba Group libarchive Available for: macOS Sequoia Impact: Processing a file may lead to memory corruption Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-5918 MDM Configuration Tools Available for: macOS Sequoia Impact: An app may be able to read sensitive location information Description: A permissions issue was addressed by removing the vulnerable code. CVE-2025-43513: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs Messages Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: An information disclosure issue was addressed with improved privacy controls. CVE-2025-46276: Rosyna Keller of Totally Not Malicious Software Networking Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: This issue was addressed with improved data protection. CVE-2025-43509: Haoling Zhou, Shixuan Zhao (@NSKernel), Chao Wang (@evi0s), Zhiqiang Lin from SecLab of The Ohio State University SoftwareUpdate Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A permissions issue was addressed with additional restrictions. CVE-2025-43519: an anonymous researcher StorageKit Available for: macOS Sequoia Impact: An app may be able to gain root privileges Description: A permissions issue was addressed with additional restrictions. CVE-2025-43527: an anonymous researcher StorageKit Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2025-43463: Mickey Jin (@patch1t), Amy (@asentientbot) sudo Available for: macOS Sequoia Impact: An app may be able to access protected user data Description: A logic issue was addressed with improved restrictions. CVE-2025-43416: Gergely Kalman (@gergely_kalman) Voice Control Available for: macOS Sequoia Impact: A user with Voice Control enabled may be able to transcribe another user's activity Description: A session management issue was addressed with improved checks. CVE-2025-43516: Kay Belardinelli (Harvard University) VoiceOver Available for: macOS Sequoia Impact: An app may be able to access sensitive user data Description: This issue was addressed with improved checks. CVE-2025-43530: Mickey Jin (@patch1t) Additional recognition Sandbox We would like to acknowledge Arnaud Abbati for their assistance. macOS Sequoia 15.7.3 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmk8iHgACgkQ4Ifiq8DH 7PVqSQ/9F2bZFJQR19v5CeuGmZPnvuW1eLK7BdKVAz/Oxq4D1pA54Ex+pEKkZtuZ QMoquR/8gLH/pi2wc5kHS5ao/gB0mDt0S46JTfVpBs1cVOYxLZSXeWA57/HP5+Z3 JazpIilslkmncDw/N/BtrsA881Kz8hOr10QC5Err0oiFEEFkTK4ejI9ajKd1Uacq UkhYtU75uzamqDM2LUGtjZc1dyiRLS0T09GkUNDxIzMjXI9Ll+7WWJNvlygvv4J1 YdFcYHDhLzUFxNp4zst8AhH2/KL4d+LV0+Ee8DHXovDLcZQFeLyHMFPw/kzlE35u EZH8YbUHk8yjQjs9dMCmLr2lRh0WvPWYek9r9vnF0g0ynq6dQ9N3md6/HPipqlMh +7y4SZGtEVHq+ugQAZGgd+X5X7bAWHTR/kTFWOUE1xKAQKB/7EkTXd+gQiHpR32M aF51+YPZRaZi0H/Vvh6Yc+8x/kfztLtOrAMqTTEdPpv9nxUOdYJoZtiZYO5K4se8 TVa2EEKQxqehzWlwPYXRJGkfbCRfANpRuZ9l71b3sWb8mZt/tKojlg7e79Mq3vFR 8bcH3mqux69SpdXbKLNuXaLTqjJlBVs1InBQ9FnR3NxLueehdWvLXGMnAIGO92bF lNasCRWkpOTHt3YtJx/r4oF+EFWsQkT9TAHeIJBMWj665a9gn+A= =BGCL -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists