"Enter" drücken, um zum Inhalt weiterzugehen

Mojave-Update 10.14.6, Safari 12.1.2 und Sicherheits-Aktualisierung 2019-004

Mittlerweile kann man Mojave als „ausgereift“ bezeichnen, mit der soeben veröffentlichten Aktualisierung auf Version 10.14.6 nähert sich das Ende der Weiterentwicklung dieses Systems. Im September/Oktober 2019 wird Apple das Nachfolgesystem 10.15 Catalina freigeben – es sei an dieser Stelle aber noch einmal deutlich vor dem Einsatz gewarnt!

Es ist sinnvoll, auf Produktivsystemen weiterhin mit 10.13.6 High Sierra oder 10.14.6 Mojave zu arbeiten und bezüglich Catalina die Version 10.15.2, 10.15.3 oder auch 10.15.4 abzuwarten.

Das Combo-Update 10.14.6 bekommt man hier, die Sicherheits-Aktualisierung 2019-004 für Sierra hier und für High Sierra hier.

Anbei wie immer die CVEs:

AppleGraphicsControl
Available for: macOS Mojave 10.14.5
Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization.
CVE-2019-8693: Arash Tohidi of Solita

autofs
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper
Description: This was addressed with additional checks by Gatekeeper on files mounted through a network share.
CVE-2019-8656: Filippo Cavallarin

Bluetooth
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-19860

Carbon Core
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2019-8661: Natalie Silvanovich of Google Project Zero

Core Data
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-8660: Samuel Groß and Natalie Silvanovich of Google Project Zero

Disk Management
Available for: macOS Mojave 10.14.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8697: ccpwd working with Trend Micro’s Zero Day Initiative

FaceTime
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu

Found in Apps
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to leak memory
Description: This issue was addressed with improved checks.
CVE-2019-8663: Natalie Silvanovich of Google Project Zero

Foundation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14.5
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero

Grapher
Available for: macOS Mojave 10.14.5
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8695: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative

Graphics Drivers
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2019-8691: Aleksandr Tarasikov, Arash Tohidi of Solita, Lilang Wu and Moony Li of Trend Micro
CVE-2019-8692: Lilang Wu and Moony Li of Trend Micro

Heimdal
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services
Description: This issue was addressed with improved checks to prevent unauthorized actions.
CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

IOAcceleratorFamily
Available for: macOS Mojave 10.14.5
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8694: Arash Tohidi of Solita

libxslt
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input validation.
CVE-2019-13118: found by OSS-Fuzz

Quick Look
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary
Description: This issue was addressed with improved checks.
CVE-2019-8662: Natalie Silvanovich and Samuel Groß of Google Project Zero

Safari
Available for: macOS Mojave 10.14.5
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2019-8670: Tsubasa FUJII

Security
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8697: ccpwd working with Trend Micro’s Zero Day Initiative

Siri
Available for: macOS Mojave 10.14.5
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Time Machine
Available for: macOS Mojave 10.14.5
Impact: The encryption status of a Time Machine backup may be incorrect
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2019-8667: Roland Kletzing

UIFoundation
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5
Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro’s Zero Day Initiative

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2019-8670: Tsubasa FUJII

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved state management.
CVE-2019-8658: akayn working with Trend Micro’s Zero Day Initiative

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of document loads.
This issue was addressed with improved state management.
CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-8644: G. Geshev working with Trend Micro’s Zero Day Initiative
CVE-2019-8666: Zongming Wang and Zhe Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
CVE-2019-8669: akayn working with Trend Micro’s Zero Day Initiative
CVE-2019-8671: Apple
CVE-2019-8672: Samuel Groß of Google Project Zero
CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8677: Jihui Lu of Tencent KeenLab
CVE-2019-8678: an anonymous researcher, Anthony Lai of Knownsec, Ken Wong of VXRL, Jeonghoon Shin of Theori, Johnny Yu of VX Browser Exploitation Group, Chris Chan of VX Browser Exploitation Group, Phil Mok of VX Browser Exploitation Group, Alan Ho of Knownsec, Byron Wai of VX Browser Exploitation
CVE-2019-8679: Jihui Lu of Tencent KeenLab
CVE-2019-8680: Jihui Lu of Tencent KeenLab
CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong of VXRL, Anthony Lai of VXRL, and Eric Lung of VXRL
CVE-2019-8686: G. Geshev working with Trend Micro’s Zero Day Initiative
CVE-2019-8687: Apple
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and included in macOS Mojave 10.14.6
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of synchronous page loads.
This issue was addressed with improved state management.
CVE-2019-8649: Sergei Glazunov of Google Project Zero