-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-03-07-2024-2 macOS Sonoma 14.4

macOS Sonoma 14.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214084.

Apple maintains a Security Releases page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: macOS Sonoma
Impact: A malicious app may be able to observe user data in log entries
related to accessibility notifications
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23291

Admin Framework
Available for: macOS Sonoma
Impact: An app may be able to elevate privileges
Description: A logic issue was addressed with improved checks.
CVE-2024-23276: Kirin (@Pwnrin)

Airport
Available for: macOS Sonoma
Impact: An app may be able to read sensitive location information
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: Entitlements and privacy permissions granted to this app may be
used by a malicious app
Description: This issue was addressed with improved checks.
CVE-2024-23233: Mickey Jin (@patch1t)

AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: A downgrade issue affecting Intel-based Mac computers was
addressed with additional code-signing restrictions.
CVE-2024-23269: Mickey Jin (@patch1t)

AppleMobileFileIntegrity
Available for: macOS Sonoma
Impact: An app may be able to elevate privileges
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and
Kirin (@Pwnrin)

Bluetooth
Available for: macOS Sonoma
Impact: An attacker in a privileged network position may be able to
inject keystrokes by spoofing a keyboard
Description: The issue was addressed with improved checks.
CVE-2024-23277: Marc Newlin of SkySafe

ColorSync
Available for: macOS Sonoma
Impact: Processing a file may lead to unexpected app termination or
arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

ColorSync
Available for: macOS Sonoma
Impact: Processing a file may lead to a denial-of-service or potentially
disclose memory contents
Description: The issue was addressed with improved memory handling.
CVE-2024-23248: m4yfly with TianGong Team of Legendsec at Qi'anxin Group
CVE-2024-23249: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreBluetooth - LE
Available for: macOS Sonoma
Impact: An app may be able to access Bluetooth-connected microphones
without user permission
Description: An access issue was addressed with improved access
restrictions.
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Dock
Available for: macOS Sonoma
Impact: An app from a standard user account may be able to escalate
privilege after admin user login
Description: A logic issue was addressed with improved restrictions.
CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

ExtensionKit
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23205

file
Available for: macOS Sonoma
Impact: Processing a file may lead to a denial-of-service or potentially
disclose memory contents
Description: This issue was addressed with improved checks.
CVE-2022-48554

Image Capture
Available for: macOS Sonoma
Impact: An app may be able to access a user's Photos Library
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-23253: Mickey Jin (@patch1t)

Image Processing
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23270: an anonymous researcher

ImageIO
Available for: macOS Sonoma
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO
Available for: macOS Sonoma
Impact: Processing an image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2024-23258: Zhenjiang Zhao of pangu team, Qianxin

ImageIO
Available for: macOS Sonoma
Impact: Processing an image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory
handling.
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Intel Graphics Driver
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2024-23234: Murray Mike

Kerberos v5 PAM module
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A race condition was addressed with additional validation.
CVE-2024-23235

Kernel
Available for: macOS Sonoma
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel
Available for: macOS Sonoma
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23225

libxpc
Available for: macOS Sonoma
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved checks.
CVE-2024-23278: an anonymous researcher

libxpc
Available for: macOS Sonoma
Impact: An app may be able to execute arbitrary code out of its sandbox
or with certain elevated privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-0258: ali yabuz

MediaRemote
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23279: an anonymous researcher

Messages
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-23287: Kirin (@Pwnrin)

Metal
Available for: macOS Sonoma
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero
Day Initiative

Music
Available for: macOS Sonoma
Impact: An app may be able to create symlinks to protected regions of
the disk
Description: This issue was addressed with improved handling of
symlinks.
CVE-2024-23285: @08Tc3wBB of Jamf

Notes
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23283

OpenSSH
Available for: macOS Sonoma
Impact: Multiple issues in OpenSSH
Description: Multiple issues were addressed by updating to OpenSSH 9.6.
CVE-2023-48795
CVE-2023-51384
CVE-2023-51385

PackageKit
Available for: macOS Sonoma
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved state management.
CVE-2022-42816: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Sonoma
Impact: An app may be able to overwrite arbitrary files
Description: A path handling issue was addressed with improved
validation.
CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

PackageKit
Available for: macOS Sonoma
Impact: An app may be able to bypass certain Privacy preferences
Description: The issue was addressed with improved checks.
CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Sonoma
Impact: An app may be able to elevate privileges
Description: An injection issue was addressed with improved input
validation.
CVE-2024-23268: Mickey Jin (@patch1t), Pedro Tôrres (@t0rr3sp3dr0)
CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)

PackageKit
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A logic issue was addressed with improved checks.
CVE-2023-42853: Mickey Jin (@patch1t)

PackageKit
Available for: macOS Sonoma
Impact: An app may be able to access protected user data
Description: A race condition was addressed with additional validation.
CVE-2024-23275: Mickey Jin (@patch1t)

Photos
Available for: macOS Sonoma
Impact: Photos in the Hidden Photos Album may be viewed without
authentication
Description: An authentication issue was addressed with improved state
management.
CVE-2024-23255: Harsh Tyagi

QuartzCore
Available for: macOS Sonoma
Impact: Processing malicious input may lead to code execution
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-23294: Wojciech Regula of SecuRing (wojciechregula.blog)

RTKit
Available for: macOS Sonoma
Impact: An attacker with arbitrary kernel read and write capability may
be able to bypass kernel memory protections. Apple is aware of a report
that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved
validation.
CVE-2024-23296

Safari
Available for: macOS Sonoma
Impact: Processing web content may lead to a denial-of-service
Description: The issue was addressed with improved checks.
CVE-2024-23259: Lyra Rebane (rebane2001)

Safari Private Browsing
Available for: macOS Sonoma
Impact: Private Browsing tabs may be accessed without authentication
Description: This issue was addressed through improved state management.
CVE-2024-23273: Matej Rabzelj

Sandbox
Available for: macOS Sonoma
Impact: An app may be able to edit NVRAM variables
Description: An access issue was addressed with improved access
restrictions.
CVE-2024-23238

Sandbox
Available for: macOS Sonoma
Impact: An app may be able to leak sensitive user information
Description: A race condition was addressed with improved state
handling.
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A logic issue was addressed with improved restrictions.
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Screen Capture
Available for: macOS Sonoma
Impact: An app may be able to capture a user's screen
Description: A privacy issue was addressed with improved handling of
temporary files.
CVE-2024-23232: Yiğit Can YILMAZ (@yilmazcanyigit)

Share Sheet
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2024-23231: Kirin (@Pwnrin) and luckyu (@uuulucky)

SharedFileList
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved file handling.
CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts
Available for: macOS Sonoma
Impact: Third-party shortcuts may use a legacy action from Automator to
send events to apps without user consent
Description: This issue was addressed by adding an additional prompt for
user consent.
CVE-2024-23245: an anonymous researcher

Shortcuts
Available for: macOS Sonoma
Impact: An app may be able to access information about a user's contacts
Description: This issue was addressed with improved data protection.
CVE-2024-23292: K宝 and LFY@secsys from Fudan University

Siri
Available for: macOS Sonoma
Impact: A person with physical access to a device may be able to use
Siri to access private calendar information
Description: A lock screen issue was addressed with improved state
management.
CVE-2024-23289: Lewis Hardy

Siri
Available for: macOS Sonoma
Impact: An attacker with physical access may be able to use Siri to
access sensitive user data
Description: This issue was addressed through improved state management.
CVE-2024-23293: Bistrit Dahal

Spotlight
Available for: macOS Sonoma
Impact: An app may be able to leak sensitive user information
Description: This issue was addressed through improved state management.
CVE-2024-23241

Storage Services
Available for: macOS Sonoma
Impact: A user may gain access to protected parts of the file system
Description: A logic issue was addressed with improved checks.
CVE-2024-23272: Mickey Jin (@patch1t)

Synapse
Available for: macOS Sonoma
Impact: An app may be able to view Mail data
Description: A privacy issue was addressed by not logging contents of
text fields.
CVE-2024-23242

System Settings
Available for: macOS Sonoma
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved state management.
CVE-2024-23281: Joshua Jewett (@JoshJewett33)

TV App
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing additional
entitlements.
CVE-2024-23260: Joshua Jewett (@JoshJewett33)

UIKit
Available for: macOS Sonoma
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt
für Sicherheit in der Informationstechnik

WebKit
Available for: macOS Sonoma
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259694
CVE-2024-23226: Pwn2car

WebKit
Available for: macOS Sonoma
Impact: Processing web content may lead to a denial-of-service
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 263758
CVE-2024-23252: anbu1024 of SecANT

WebKit
Available for: macOS Sonoma
Impact: A malicious website may exfiltrate audio data cross-origin
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 263795
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit
Available for: macOS Sonoma
Impact: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced
Description: A logic issue was addressed with improved validation.
WebKit Bugzilla: 264811
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit
Available for: macOS Sonoma
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An injection issue was addressed with improved validation.
WebKit Bugzilla: 266703
CVE-2024-23280: an anonymous researcher

WebKit
Available for: macOS Sonoma
Impact: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 267241
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

AppKit
We would like to acknowledge Stephan Casas for their assistance.

CoreAnimation
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for
their assistance.

Endpoint Security
We would like to acknowledge Matthew White for their assistance.

Find My
We would like to acknowledge Meng Zhang (鲸落) of NorthSea for their
assistance.

Kernel
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung
Lee) for their assistance.

libarchive
We would like to acknowledge koocola for their assistance.

libxml2
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google
Project Zero for their assistance.

libxpc
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Model I/O
We would like to acknowledge Junsung Lee for their assistance.

Photos
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi
Narain College Of Technology Bhopal for their assistance.

Power Management
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs
SG Pte. Ltd. for their assistance.

Safari
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 (Lee
Dong Ha of ZeroPointer Lab) for their assistance.

SharedFileList
We would like to acknowledge Phil Schneider of Canva for their
assistance.

Siri
We would like to acknowledge Bistrit Dahal for their assistance.

Storage Driver
We would like to acknowledge Liang Wei of PixiePoint Security for their
assistance.

SystemMigration
We would like to acknowledge Eugene Gershnik for their assistance.

TCC
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

WebKit
We would like to acknowledge Nan Wang (@eternalsakura13) of 360
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

macOS Sonoma 14.4 may be obtained from the Mac App Store or Apple's
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Releases
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqcXAACgkQX+5d1TXa
IvpeHg/9EJ6w/Qpy5iPL/p+w/QhBOErWjzSmr0jAQbnQvL/HLJw43IG2Ty+UyjKD
HX4noLOuq3ik88VWgJiGYjPUXim9z74zwTH/zvkvJ9kU0gHIYY6yWLOoI9axFVt1
m2aGAj3+4/z2QR5/2M7oT0Tdqyf2v5+cnRqAnjh8I5C4dEkjQpWeNbFi4a5e/HFp
zppjrow2wiZkwpeiueN5BVNy6rePKCInJqWQ4V5jFFcEi/kZROYTt39BZt9KyAhJ
5TA3HTvn+/HVuDqxOpubB+ryhk75PB5Lha7KdLu0jRGLgggye18MZWcp0Pc5NnQG
cHfomN8y87dV8wlo/GZZ21/flDUFY441uB6bc79+WeR5wZu6Tvr2fhIN5FAFXUtm
EevVhnmEeeraTo+aBoG3cak8vUrm+/PP3no3KkSrQoxxAd/dNuPzwRTax8uRzQBA
OiT5SJep9qGKXFn/4TcJNI1zwgV1ynjksVyIxANEulhew697+C3jgpoA2VoHtwpI
mWz4Dhib7EcPZ+Kbf4Pl4BlConQhKJnJb0LYTyshgu79g2xup7/ejVPYqLTv4HzB
ocFr6I8vRLt0Y7qzUMPrqH1RikIOLPGbEH5weTgRnIioCcRj8hWkM+0gt3MrKYSC
uuUX/u54sR/5c8H5Rv/j/S0kPvEmDGri73i3G8n7qI1ceqiI7Xw=
=cGUh
-----END PGP SIGNATURE-----