APPLE-SA-2021-07-21-4 Security Update 2021-005 Mojave
APPLE-SA-2021-07-21-4 Security Update 2021-005 Mojave
- Subject: APPLE-SA-2021-07-21-4 Security Update 2021-005 Mojave
- From: Apple Product Security via Security-announce <email@hidden>
- Date: Wed, 21 Jul 2021 17:13:20 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2021-07-21-4 Security Update 2021-005 Mojave
Security Update 2021-005 Mojave addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212603.
AMD Kernel
Available for: macOS Mojave
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2021-30805: ABC Research s.r.o
AppKit
Available for: macOS Mojave
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: An information disclosure issue was addressed by
removing the vulnerable code.
CVE-2021-30790: hjy79425575 working with Trend Micro Zero Day
Initiative
Audio
Available for: macOS Mojave
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30781: tr3e
Bluetooth
Available for: macOS Mojave
Impact: A malicious application may be able to gain root privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30672: say2 of ENKI
CoreStorage
Available for: macOS Mojave
Impact: A malicious application may be able to gain root privileges
Description: An injection issue was addressed with improved
validation.
CVE-2021-30777: Tim Michaud(@TimGMichaud) of Zoom Video
Communications and Gary Nield of ECSC Group plc
CoreText
Available for: macOS Mojave
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30733: Sunglin from the Knownsec 404
CVMS
Available for: macOS Mojave
Impact: A malicious application may be able to gain root privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30780: Tim Michaud(@TimGMichaud) of Zoom Video
Communications
FontParser
Available for: macOS Mojave
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An integer overflow was addressed through improved input
validation.
CVE-2021-30760: Sunglin of Knownsec 404 team
FontParser
Available for: macOS Mojave
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A stack overflow was addressed with improved input
validation.
CVE-2021-30759: hjy79425575 working with Trend Micro Zero Day
Initiative
FontParser
Available for: macOS Mojave
Impact: Processing a maliciously crafted tiff file may lead to a
denial-of-service or potentially disclose memory contents
Description: This issue was addressed with improved checks.
CVE-2021-30788: tr3e working with Trend Micro Zero Day Initiative
Intel Graphics Driver
Available for: macOS Mojave
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: This issue was addressed with improved checks.
CVE-2021-30787: Anonymous working with Trend Micro Zero Day
Initiative
Intel Graphics Driver
Available for: macOS Mojave
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2021-30765: Liu Long of Ant Security Light-Year Lab
CVE-2021-30766: Liu Long of Ant Security Light-Year Lab
Kernel
Available for: macOS Mojave
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A double free issue was addressed with improved memory
management.
CVE-2021-30703: an anonymous researcher
Kernel
Available for: macOS Mojave
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved state
management.
CVE-2021-30793: Zuozhi Fan (@pattern_F_) of Ant Security TianQiong
Lab
LaunchServices
Available for: macOS Mojave
Impact: A malicious application may be able to break out of its
sandbox
Description: This issue was addressed with improved environment
sanitization.
CVE-2021-30677: Ron Waisberg (@epsilan)
LaunchServices
Available for: macOS Mojave
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: An access issue was addressed with improved access
restrictions.
CVE-2021-30783: Ron Waisberg (@epsilan)
Model I/O
Available for: macOS Mojave
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: A logic issue was addressed with improved validation.
CVE-2021-30796: Mickey Jin (@patch1t) of Trend Micro
Sandbox
Available for: macOS Mojave
Impact: A malicious application may be able to access restricted
files
Description: This issue was addressed with improved checks.
CVE-2021-30782: Csaba Fitzl (@theevilbit) of Offensive Security
WebKit
Available for: macOS Mojave
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2021-30799: Sergei Glazunov of Google Project Zero
Additional recognition
configd
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
CoreServices
We would like to acknowledge Zhongcheng Li (CK01) for their
assistance.
CoreText
We would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for
their assistance.
crontabs
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
IOKit
We would like to acknowledge George Nosenko for their assistance.
Spotlight
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
Installation note:
This update may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmD4r8gACgkQZcsbuWJ6
jjAFqw//aRrp4GJSvgT+hScSa6eEABeqAhFgN5tnuRq5i08PpnrHvHqzTHK/Mt14
XEC1ki6Vzhe68ngSqGwLllEv1UjMZ2BkCCNQWse5RmkPvjwXO815SjZyJuVWwVdf
t4zlfFaMKS/kzxugIMUD6auYUKGaqV3FJYvWYBStvbdv5veu1zuEH5d7MxeQ/A8X
32oM7I1anDUEC7yRjT4yV567ameQElIiv+plLgyQwvK4DcRCNPvpdq+7wLgnoeXU
WYFUOVsJkzFy1oOnVUmX/DQgoYW7jbZzN2+rnPRcYMl+VqpQDP0leefMOTY2OPlR
CAbJD7N67UZwC/e4PKIv6Q5q+ajqsnqo9MOmmB8kbVHn9aIU2Z52FxIv7fM58cA0
OQOYcngSHboz1q2JMjhBm+RJWy67B/1W6F/TOklbdMTlIlF/e3EkL/kpx0Svvpco
zCOv1KeS4NO/gxijkLxuZzMhFzj3Gl+hMBwwVARIR4TbvKX0oqiHetGL0ImnHVKy
P+AXZwvqSHdV9XOxz2BQoSaeMxTNfwp+TIIttbLPU8no8uUcJKgPx5fp/+nnWjrd
IPCBc0JG9f41nbx/WlVFIaBZ0idS6c5g9zxDyBI1xaxbF0LPG3ID3sx589Nj5+wL
/p8WfH/o9nv7psvQMO8PgzQ+orSZo5LOBAq1rFzwOKGPZaYNeKc=
=gcuI
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden