Tech
Today’s release of macOS Sequoia brings 70+ new security fixes – 9to5Mac
macOS Sequoia has officially launched with new features and improvements such as window tiling, iPhone Mirroring, the new Password app, and more. But under the hood, Apple delivered a staggering amount of patched bugs/vulnerabilities to Mac users. These are the 76 security patches that come with the first public release of macOS 15 Sequoia.
The release of macOS Sequoia includes a significant number of security fixes, which is not surprising for a major .0 release. However, this is the most extensive list of CVEs I’ve ever seen in a single update. It’s great to see so many researchers and developers working to report bugs and flaws to help make the release of Sequoia as airtight as possible.
Apple shared details of each on its Security Updates page. The CVEs range from kernel vulnerabilities to addressing access to sensitive data in apps like Siri, Maps, and Shortcuts. These fixes help prevent potential exploits like arbitrary code execution, privilege escalation, and memory leaks. Apple also implemented patches to protect against various attacks by improving memory handling, input validation, and sandbox restrictions.
Here’s the full list of 76 security fixes with macOS Sequoia:
Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to leak sensitive user information
Description: The issue was addressed with improved checks.
CVE-2024-44129
Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved permissions logic.
CVE-2024-44153: Mickey Jin (@patch1t)
Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44188: Bohdan Stasiuk (@Bohdan_Stasiuk)
APFS
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious app with root privileges may be able to modify the contents of system files
Description: The issue was addressed with improved checks.
CVE-2024-40825: Pedro Tôrres (@t0rr3sp3dr0)
APNs
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app with root privileges may be able to access private information
Description: This issue was addressed with improved data protection.
CVE-2024-44130
App Intents
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access sensitive data logged when a shortcut fails to launch another app
Description: This issue was addressed with improved redaction of sensitive information.
CVE-2024-44182: Kirin (@Pwnrin)
AppleGraphicsControl
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2024-44154: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
AppleGraphicsControl
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted video file may lead to unexpected app termination
Description: The issue was addressed with improved memory handling.
CVE-2024-40845: Pwn2car working with Trend Micro Zero Day Initiative
CVE-2024-40846: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed with improved checks.
CVE-2024-44164: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40837: Kirin (@Pwnrin)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access sensitive user data
Description: The issue was addressed with additional code-signing restrictions.
CVE-2024-40847: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An attacker may be able to read sensitive information
Description: A downgrade issue was addressed with additional code-signing restrictions.
CVE-2024-40848: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: A library injection issue was addressed with additional restrictions.
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos
AppleVA
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An application may be able to read restricted memory
Description: The issue was addressed with improved memory handling.
CVE-2024-27860: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
CVE-2024-27861: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
AppleVA
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted video file may lead to unexpected app termination
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2024-40841: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
AppSandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A camera extension may be able to access the internet
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-27795: Halle Winkler, Politepix @hallewinkler
AppSandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected files within an App Sandbox container
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44135: Mickey Jin (@patch1t)
ArchiveService
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved handling of symlinks.
CVE-2024-44132: Mickey Jin (@patch1t)
Automator
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An Automator Quick Action workflow may be able to bypass Gatekeeper
Description: This issue was addressed by adding an additional prompt for user consent.
CVE-2024-44128: Anton Boegler
bless
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44151: Mickey Jin (@patch1t)
Compression
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Control Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to record the screen without an indicator
Description: The issue was addressed with improved checks.
CVE-2024-27869: an anonymous researcher
Control Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Privacy Indicators for microphone or camera access may be attributed incorrectly
Description: A logic issue was addressed with improved state management.
CVE-2024-27875: Yiğit Can YILMAZ (@yilmazcanyigit)
copyfile
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to break out of its sandbox
Description: A logic issue was addressed with improved file handling.
CVE-2024-44146: an anonymous researcher
CUPS
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-4504
Disk Images
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved validation of file attributes.
CVE-2024-44148: an anonymous researcher
Dock
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by removing sensitive data.
CVE-2024-44177: an anonymous researcher
FileProvider
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved validation of symlinks.
CVE-2024-44131: @08Tc3wBB of Jamf
Game Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
Image Capture
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access a user’s Photos Library
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40831: Mickey Jin (@patch1t)
ImageIO
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2024-27880: Junsung Lee
ImageIO
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero Day Initiative, an anonymous researcher
Installer
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to gain root privileges
Description: The issue was addressed with improved checks.
CVE-2024-40861: Mickey Jin (@patch1t)
Intel Graphics Driver
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted texture may lead to unexpected app termination
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
Intel Graphics Driver
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted texture may lead to unexpected app termination
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
IOSurfaceAccelerator
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Kernel
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven (@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
libxml2
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: An integer overflow was addressed through improved input validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
Mail Accounts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)
Maps
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to read sensitive location information
Description: An issue was addressed with improved handling of temporary files.
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University
mDNSResponder
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Model I/O
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted image may lead to a denial-of-service
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-5841
Music
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-27858: Meng Zhang (鲸落) of NorthSea, Csaba Fitzl (@theevilbit) of Offensive Security
Notes
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
Notification Center
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious app may be able to access notifications from the user’s device
Description: A privacy issue was addressed by moving sensitive data to a protected location.
CVE-2024-40838: Brian McNulty, Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania, Vaibhav Prajapati
NSColor
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2024-44186: an anonymous researcher
OpenSSH
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Multiple issues in OpenSSH
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-39894
PackageKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: This issue was addressed with improved validation of symlinks.
CVE-2024-44178: Mickey Jin (@patch1t)
Printing
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An unencrypted document may be written to a temporary file when using print preview
Description: A privacy issue was addressed with improved handling of files.
CVE-2024-40826: an anonymous researcher
Quick Look
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44149: Wojciech Regula of SecuRing (wojciechregula.blog), Csaba Fitzl (@theevilbit) of OffSec
Safari
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Visiting a malicious website may lead to user interface spoofing
Description: This issue was addressed through improved state management.
CVE-2024-40797: Rifa’i Rejal Maynando
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious application may be able to leak sensitive user information
Description: The issue was addressed with improved checks.
CVE-2024-44125: Zhongquan Li (@Guluisacat)
Sandbox
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious application may be able to access private information
Description: The issue was addressed with improved checks.
CVE-2024-44163: Zhongquan Li (@Guluisacat)
Security Initialization
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito (@pvieito), an anonymous researcher
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access protected user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40837: Kirin (@Pwnrin)
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A shortcut may output sensitive user data without consent
Description: This issue was addressed with improved redaction of sensitive information.
CVE-2024-44158: Kirin (@Pwnrin)
Shortcuts
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to observe data displayed to the user by Shortcuts
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea
Siri
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data to a more secure location.
CVE-2024-44170: K宝, LFY (@secsys), Smi1e, yulige, Cristian Dinca (icmd.tech), Rodolphe BRUNETTI (@eisw0lf)
sudo
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2024-40860: Arsenii Kostromin (0x3c3e)
System Settings
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2024-44152: Kirin (@Pwnrin)
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University
System Settings
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to read arbitrary files
Description: A path handling issue was addressed with improved validation.
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)
TCC
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: On MDM managed devices, an app may be able to bypass certain Privacy preferences
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44133: Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft
Transparency
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)
TV App
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40859: Csaba Fitzl (@theevilbit) of Offensive Security
Vim
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-41957
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved UI.
WebKit Bugzilla: 279451
CVE-2024-40866: Hafiizh and YoKo Kho (@yokoacc) of HakTrak
WebKit
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with “iframe” elements. This was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India)
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A non-privileged user may be able to modify restricted network settings
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-40770: Yiğit Can YILMAZ (@yilmazcanyigit)
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2024-23237: Charly Suchanek
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to read sensitive location information
Description: This issue was addressed with improved redaction of sensitive information.
CVE-2024-44134
Wi-Fi
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An attacker may be able to force a device to disconnect from a secure network
Description: An integrity issue was addressed with Beacon Protection.
CVE-2024-40856: Domien Schepers
WindowServer
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: A logic issue existed where a process may be able to capture screen contents without user consent
Description: The issue was addressed with improved checks.
CVE-2024-44189: Tim Clem
XProtect
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved validation of environment variables.
CVE-2024-40842: Gergely Kalman (@gergely_kalman)
XProtect
Available for: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later)
Impact: An app may be able to modify protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2024-40843: Koh M. Nakagawa (@tsunek0h)
Additional recognition
Admin Framework
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.
Airport
We would like to acknowledge David Dudok de Wit, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
APFS
We would like to acknowledge Georgi Valkov of httpstorm.com for their assistance.
App Store
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.
AppKit
We would like to acknowledge @08Tc3wBB of Jamf for their assistance.
Apple Neural Engine
We would like to acknowledge Jiaxun Zhu (@svnswords) and Minghao Lin (@Y1nKoc) for their assistance.
Automator
We would like to acknowledge Koh M. Nakagawa (@tsunek0h) for their assistance.
Core Bluetooth
We would like to acknowledge Nicholas C. of Onymos Inc. (onymos.com) for their assistance.
Core Services
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania, Kirin (@Pwnrin) and 7feilee, Snoolie Keffaber (@0xilis), Tal Lossos, Zhongquan Li (@Guluisacat) for their assistance.
Disk Utility
We would like to acknowledge Csaba Fitzl (@theevilbit) of Kandji for their assistance.
FileProvider
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Foundation
We would like to acknowledge Ostorlab for their assistance.
Kernel
We would like to acknowledge Braxton Anderson, Fakhri Zulkifli (@d0lph1n98) of PixiePoint Security for their assistance.
libxpc
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon: @pajp@blog.dll.nu) for their assistance.
LLVM
We would like to acknowledge Victor Duta of Universiteit Amsterdam, Fabio Pagani of University of California, Santa Barbara, Cristiano Giuffrida of Universiteit Amsterdam, Marius Muench, and Fabian Freyer for their assistance.
Maps
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
Music
We would like to acknowledge Khiem Tran of databaselog.com/khiemtran, K宝 and LFY@secsys from Fudan University, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Notifications
We would like to acknowledge an anonymous researcher for their assistance.
PackageKit
We would like to acknowledge Csaba Fitzl (@theevilbit) of OffSec, Mickey Jin (@patch1t), Zhongquan Li (@Guluisacat) for their assistance.
Passwords
We would like to acknowledge Richard Hyunho Im (@r1cheeta) for their assistance.
Photos
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College of Technology Bhopal India, Harsh Tyagi, Leandro Chaves for their assistance.
Podcasts
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Quick Look
We would like to acknowledge Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com) for their assistance.
Safari
We would like to acknowledge Hafiizh and YoKo Kho (@yokoacc) of HakTrak, Junsung Lee, Shaheen Fazim for their assistance.
Sandbox
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania, Kirin (@Pwnrin) of NorthSea, Wojciech Regula of SecuRing (wojciechregula.blog), Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Screen Capture
We would like to acknowledge Joshua Jewett (@JoshJewett33), Yiğit Can YILMAZ (@yilmazcanyigit), an anonymous researcher for their assistance.
Shortcuts
We would like to acknowledge Cristian Dinca of “Tudor Vianu” National High School of Computer Science, Romania, Jacob Braun, an anonymous researcher for their assistance.
Siri
We would like to acknowledge Rohan Paudel for their assistance.
SystemMigration
We would like to acknowledge Jamey Wicklund, Kevin Jansen, an anonymous researcher for their assistance.
TCC
We would like to acknowledge Noah Gregory (wts.dev), Vaibhav Prajapati for their assistance.
UIKit
We would like to acknowledge Andr.Ess for their assistance.
Voice Memos
We would like to acknowledge Lisa B for their assistance.
WebKit
We would like to acknowledge Avi Lumelsky, Uri Katz, (Oligo Security), Johan Carlsson (joaxcar) for their assistance.
Wi-Fi
We would like to acknowledge Antonio Zekic (@antoniozekic) and ant4g0nist, Tim Michaud (@TimGMichaud) of Moveworks.ai for their assistance.
WindowServer
We would like to acknowledge Felix Kratz, an anonymous researcher for their assistance.
FTC: We use income earning auto affiliate links. More.