-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2023-05-18-3 macOS Ventura 13.4 macOS Ventura 13.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213758. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Accessibility Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-32388: Kirin (@Pwnrin) Accessibility Available for: macOS Ventura Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app Description: This issue was addressed with improved checks. CVE-2023-32400: Mickey Jin (@patch1t) AppleMobileFileIntegrity Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed with improved entitlements. CVE-2023-32411: Mickey Jin (@patch1t) Associated Domains Available for: macOS Ventura Impact: An app may be able to break out of its sandbox Description: The issue was addressed with improved checks. CVE-2023-32371: James Duffy (mangoSecure) Contacts Available for: macOS Ventura Impact: An app may be able to observe unprotected user data Description: A privacy issue was addressed with improved handling of temporary files. CVE-2023-32386: Kirin (@Pwnrin) Core Location Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2023-32399: an anonymous researcher CoreServices Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed with improved redaction of sensitive information. CVE-2023-28191: Mickey Jin (@patch1t) CUPS Available for: macOS Ventura Impact: An unauthenticated user may be able to access recently printed documents Description: An authentication issue was addressed with improved state management. CVE-2023-32360: Gerhard Muth dcerpc Available for: macOS Ventura Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A use-after-free issue was addressed with improved memory management. CVE-2023-32387: Dimitrios Tatsis of Cisco Talos DesktopServices Available for: macOS Ventura Impact: An app may be able to break out of its sandbox Description: The issue was addressed with improved checks. CVE-2023-32414: Mickey Jin (@patch1t) GeoServices Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-32392: an anonymous researcher ImageIO Available for: macOS Ventura Impact: Processing an image may result in disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative ImageIO Available for: macOS Ventura Impact: Processing an image may lead to arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative IOSurface Available for: macOS Ventura Impact: An app may be able to leak sensitive kernel state Description: An out-of-bounds read was addressed with improved input validation. CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu IOSurfaceAccelerator Available for: macOS Ventura Impact: An app may be able to cause unexpected system termination or read kernel memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de) Kernel Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: A type confusion issue was addressed with improved checks. CVE-2023-27930: 08Tc3wBB of Jamf Kernel Available for: macOS Ventura Impact: A sandboxed app may be able to observe system-wide network connections Description: The issue was addressed with additional permissions checks. CVE-2023-27940: James Duffy (mangoSecure) Kernel Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: A use-after-free issue was addressed with improved memory management. CVE-2023-32398: Adam Doupé of ASU SEFCOM Kernel Available for: macOS Ventura Impact: An app may be able to gain root privileges Description: A race condition was addressed with improved state handling. CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative LaunchServices Available for: macOS Ventura Impact: An app may bypass Gatekeeper checks Description: A logic issue was addressed with improved checks. CVE-2023-32352: Wojciech Reguła (@_r3ggi) of SecuRing (wojciechregula.blog) libxpc Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved state management. CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft libxpc Available for: macOS Ventura Impact: An app may be able to gain root privileges Description: A logic issue was addressed with improved checks. CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7 Metal Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: A logic issue was addressed with improved state management. CVE-2023-32407: Gergely Kalman (@gergely_kalman) Model I/O Available for: macOS Ventura Impact: Processing a 3D model may result in disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2023-32368: Mickey Jin (@patch1t) CVE-2023-32375: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative CVE-2023-32382: Mickey Jin (@patch1t) Model I/O Available for: macOS Ventura Impact: Processing a 3D model may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2023-32380: Mickey Jin (@patch1t) NetworkExtension Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: This issue was addressed with improved redaction of sensitive information. CVE-2023-32403: an anonymous researcher PackageKit Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved state management. CVE-2023-32355: Mickey Jin (@patch1t) PDFKit Available for: macOS Ventura Impact: Opening a PDF file may lead to unexpected app termination Description: A denial-of-service issue was addressed with improved memory handling. CVE-2023-32385: Jonathan Fritz Perl Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved state management. CVE-2023-32395: Arsenii Kostromin (0x3c3e) Photos Available for: macOS Ventura Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup Description: The issue was addressed with improved checks. CVE-2023-32390: Julian Szulc Sandbox Available for: macOS Ventura Impact: An app may be able to retain access to system configuration files even after its permission is revoked Description: An authorization issue was addressed with improved state management. CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security Screen Saver Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: A permissions issue was addressed by removing vulnerable code and adding additional checks. CVE-2023-32363: Mickey Jin (@patch1t) Security Available for: macOS Ventura Impact: An app may be able to access user-sensitive data Description: This issue was addressed with improved entitlements. CVE-2023-32367: James Duffy (mangoSecure) Shell Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved state management. CVE-2023-32397: Arsenii Kostromin (0x3c3e) Shortcuts Available for: macOS Ventura Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user Description: The issue was addressed with improved checks. CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group Shortcuts Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed with improved entitlements. CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher Siri Available for: macOS Ventura Impact: A person with physical access to a device may be able to view contact information from the lock screen Description: The issue was addressed with improved checks. CVE-2023-32394: Khiem Tran SQLite Available for: macOS Ventura Impact: An app may be able to access data from other apps by enabling additional SQLite logging Description: This issue was addressed by adding additional SQLite logging restrictions. CVE-2023-32422: Gergely Kalman (@gergely_kalman) StorageKit Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed with improved entitlements. CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit) System Settings Available for: macOS Ventura Impact: An app firewall setting may not take effect after exiting the Settings app Description: This issue was addressed with improved state management. CVE-2023-28202: Satish Panduranga and an anonymous researcher Telephony Available for: macOS Ventura Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution Description: A use-after-free issue was addressed with improved memory management. CVE-2023-32412: Ivan Fratric of Google Project Zero TV App Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2023-32408: Adam M. Weather Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: This issue was addressed with improved redaction of sensitive information. CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher WebKit Available for: macOS Ventura Impact: Processing web content may disclose sensitive information Description: An out-of-bounds read was addressed with improved input validation. WebKit Bugzilla: 255075 CVE-2023-32402: an anonymous researcher WebKit Available for: macOS Ventura Impact: Processing web content may disclose sensitive information Description: A buffer overflow issue was addressed with improved memory handling. WebKit Bugzilla: 254781 CVE-2023-32423: Ignacio Sanmillan (@ulexec) WebKit Available for: macOS Ventura Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. Description: The issue was addressed with improved bounds checks. WebKit Bugzilla: 255350 CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab WebKit Available for: macOS Ventura Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. Description: An out-of-bounds read was addressed with improved input validation. WebKit Bugzilla: 254930 CVE-2023-28204: an anonymous researcher This issue was first addressed in Rapid Security Response macOS 13.3.1 (a). WebKit Available for: macOS Ventura Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 254840 CVE-2023-32373: an anonymous researcher This issue was first addressed in Rapid Security Response macOS 13.3.1 (a). Wi-Fi Available for: macOS Ventura Impact: An app may be able to disclose kernel memory Description: This issue was addressed with improved redaction of sensitive information. CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. Additional recognition Accounts We would like to acknowledge Sergii Kryvoblotskyi of MacPaw Inc. for their assistance. CloudKit We would like to acknowledge Iconic for their assistance. libxml2 We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project Zero for their assistance. Reminders We would like to acknowledge Kirin (@Pwnrin) for their assistance. Rosetta We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance. Safari We would like to acknowledge Khiem Tran for their assistance. Security We would like to acknowledge Brandon Toms for their assistance. Share Sheet We would like to acknowledge Kirin (@Pwnrin) for their assistance. Wallet We would like to acknowledge James Duffy (mangoSecure) for their assistance. Wi-Fi We would like to acknowledge an anonymous researcher for their assistance. macOS Ventura 13.4 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmRmqM8ACgkQ4RjMIDke NxmqwQ/9GOjzdasEaFS3H6ZQC6QE6aEvM1vfdAsRnWAIQkJPI7BbVyGvvFKUvC/L T8KQv6QLIh6hWGZ6zd/piw6s8J05bom+8fJ2KzO9YXuLBYZCMu+ZTvyg/5ul38T2 f2VRxHAjZo61DDr43JGb7sLLv41vlfmSpGcfJXv5Y1XAsrjypJNxyCpE3xDFAX8s Rsoz0cp40hEDz5/9bvF7D5Ci08m6EkYvykrc6sIacM57Q58fGyW7rp/7Smk1+6kg Hrs/lqsFkV4ZxIrvwY3WLx84razBr8/uTeKpqKNpIZs1ff36awPU8Sjo0T3U+Afc 5kIfqh8hR7dWFBNXJ0JdNuH/F2zTH6RDlDBeC2ngE5ko+csMjdltI7qhp+9C2fwv tINDxuSUZAmvtRpodgPii0ZZJSgeHC+ekwmc8Ob0mYP57FaX91C7RP08bfEi3gZH wCKjE1T2vu8PMhGNsqOgfWWZoQDBOb5cHPRslqDdqctAiiLkXgAB10xpTjtA/0ZS zDq5HJtdWqsTrXXAdOP7/R9Gs7TKxYBFviNJE5KFbGkEBbuRqIYjhNgA2/8/h3J1 PGi6XkAzmoVWrZQWjrAbhrfodd1oOhiV+zuAZ1ayxLITGke5zwMgJW4RMfSd9MPp +Bqjq/zc84yoF0fe2U2DDwhNnFaNTSbZTW1hE4VvL5Jgu+YJiyg= =H91d -----END PGP SIGNATURE-----