About the security content of macOS Big Sur 11.7.5

This document describes the security content of macOS Big Sur 11.7.5.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

macOS Big Sur 11.7.5

Released March 27, 2023

Apple Neural Engine

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleAVD

Available for: macOS Big Sur

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-26702: an anonymous researcher, Antonio Zekic (@antoniozekic), and John Aakerblom (@jaakerblom)

AppleMobileFileIntegrity

Available for: macOS Big Sur

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility

Available for: macOS Big Sur

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated May 11, 2023

Calendar

Available for: macOS Big Sur

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

Carbon Core

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

ColorSync

Available for: macOS Big Sur

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

CommCenter

Available for: macOS Big Sur

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

dcerpc

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc

Available for: macOS Big Sur

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Find My

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

FontParser

Available for: macOS Big Sur

Impact: Processing a font file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-32366: Ye Zhang (@VAR10CK) of Baidu Security

Entry added December 21, 2023

Foundation

Available for: macOS Big Sur

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

Identity Services

Available for: macOS Big Sur

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO

Available for: macOS Big Sur

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO

Available for: macOS Big Sur

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

IOAcceleratorFamily

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32378: Murray Mike

Entry added December 21, 2023

Kernel

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

CVE-2023-28199: Arsenii Kostromin (0x3c3e)

Entry added May 11, 2023, updated December 21, 2023

Kernel

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger and David Pan Ogea

Entry added May 11, 2023, updated December 21, 2023

Kernel

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

Kernel

Available for: macOS Big Sur

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

Kernel

Available for: macOS Big Sur

Impact: An app may be able to cause a denial-of-service

Description: An integer overflow was addressed through improved input validation.

CVE-2023-28185: Pan ZhenPeng of STAR Labs SG Pte. Ltd.

Entry added December 21, 2023

LaunchServices

Available for: macOS Big Sur

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2023-23525: Mickey Jin (@patch1t)

Entry added May 11, 2023

libpthread

Available for: macOS Big Sur

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-41075: Zweig of Kunlun Lab

Entry added December 21, 2023

Mail

Available for: macOS Big Sur

Impact: An app may be able to view sensitive information

Description: The issue was addressed with improved checks.

CVE-2023-28189: Mickey Jin (@patch1t)

Entry added May 11, 2023

Messages

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2023-28197: Joshua Jones

Entry added December 21, 2023

NetworkExtension

Available for: macOS Big Sur

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

PackageKit

Available for: macOS Big Sur

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-27962: Mickey Jin (@patch1t)

Podcasts

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

Entry added May 11, 2023

System Settings

Available for: macOS Big Sur

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: Adam M.

Entry updated December 21, 2023

System Settings

Available for: macOS Big Sur

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Vim

Available for: macOS Big Sur

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0433

CVE-2023-0512

XPC

Available for: macOS Big Sur

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock

We would like to acknowledge Christian Mina for their assistance.

AppleMobileFileIntegrity

We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing (wojciechregula.blog) for their assistance.

CoreServices

We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

NSOpenPanel

We would like to acknowledge Alexandre Colucci (@timacfr) for their assistance.

Wi-Fi

We would like to acknowledge an anonymous researcher for their assistance.

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: