About the security content of macOS Sonoma 14.2

This document describes the security content of macOS Sonoma 14.2.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

macOS Sonoma 14.2

Released December 11, 2023

Accessibility

Available for: macOS Sonoma

Impact: Secure text fields may be displayed via the Accessibility Keyboard when using a physical keyboard

Description: This issue was addressed with improved state management.

CVE-2023-42874: Don Clarke

Accessibility

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Entry added January 22, 2024

Accounts

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents

Available for: macOS Sonoma

Impact: An app may be able to access information about a user's contacts

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl

Available for: macOS Sonoma

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2023-42901: Ivan Fratric of Google Project Zero

CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-42912: Ivan Fratric of Google Project Zero

CVE-2023-42903: Ivan Fratric of Google Project Zero

CVE-2023-42904: Ivan Fratric of Google Project Zero

CVE-2023-42905: Ivan Fratric of Google Project Zero

CVE-2023-42906: Ivan Fratric of Google Project Zero

CVE-2023-42907: Ivan Fratric of Google Project Zero

CVE-2023-42908: Ivan Fratric of Google Project Zero

CVE-2023-42909: Ivan Fratric of Google Project Zero

CVE-2023-42910: Ivan Fratric of Google Project Zero

CVE-2023-42911: Ivan Fratric of Google Project Zero

CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42882: Ivan Fratric of Google Project Zero

AppleVA

Available for: macOS Sonoma

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42881: Ivan Fratric of Google Project Zero

Entry added December 12, 2023

Archive Utility

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42924: Mickey Jin (@patch1t)

Assets

Available for: macOS Sonoma

Impact: An app may be able to modify protected parts of the file system

Description: An issue was addressed with improved handling of temporary files.

CVE-2023-42896: Mickey Jin (@patch1t)

Entry added March 22, 2024

AVEVideoEncoder

Available for: macOS Sonoma

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

Bluetooth

Available for: macOS Sonoma

Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard

Description: The issue was addressed with improved checks.

CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices

Available for: macOS Sonoma

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

curl

Available for: macOS Sonoma

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating to curl version 8.4.0.

CVE-2023-38545

CVE-2023-38039

CVE-2023-38546

Entry added January 22, 2024, updated February 13, 2024

DiskArbitration

Available for: macOS Sonoma

Impact: A process may gain admin privileges without proper authentication

Description: The issue was addressed with improved checks.

CVE-2023-42931: Yann GASCUEL of Alter Solutions

Entry added March 22, 2024

FileURL

Available for: macOS Sonoma

Impact: A local attacker may be able to elevate their privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-42892: Anthony Cruz @App Tyrant Corp

Entry added March 22, 2024

Find My

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Zhenjiang Zhao of Pangu Team, Qianxin and Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Entry updated March 22, 2024

ImageIO

Available for: macOS Sonoma

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

Entry added January 22, 2024

IOKit

Available for: macOS Sonoma

Impact: An app may be able to monitor keystrokes without user permission

Description: An authentication issue was addressed with improved state management.

CVE-2023-42891: an anonymous researcher

IOUSBDeviceFamily

Available for: macOS Sonoma

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-42974: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Entry added March 22, 2024

Kernel

Available for: macOS Sonoma

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

Libsystem

Available for: macOS Sonoma

Impact: An app may be able to access protected user data

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-42893

Entry added March 22, 2024

Model I/O

Available for: macOS Sonoma

Impact: Processing an image may lead to a denial-of-service

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-3618

Entry added March 22, 2024

ncurses

Available for: macOS Sonoma

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2020-19185

CVE-2020-19186

CVE-2020-19187

CVE-2020-19188

CVE-2020-19189

CVE-2020-19190

NSOpenPanel

Available for: macOS Sonoma

Impact: An app may be able to read arbitrary files

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2023-42887: Ron Masas of BreakPoint.sh

Entry added January 22, 2024

Sandbox

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42936: Csaba Fitzl (@theevilbit) of OffSec

Entry added March 22, 2024, updated July 16, 2024

Share Sheet

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed by moving sensitive data to a protected location.

CVE-2023-40390: Csaba Fitzl (@theevilbit) of Offensive Security and Mickey Jin (@patch1t)

Entry added March 22, 2024

SharedFileList

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42842: an anonymous researcher

Shell

Available for: macOS Sonoma

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2023-42930: Arsenii Kostromin (0x3c3e)

Entry added March 22, 2024

System Settings

Available for: macOS Sonoma

Impact: Remote Login sessions may be able to obtain full disk access permissions

Description: This issue was addressed through improved state management.

CVE-2023-42913: Mattie Behrens and Joshua Jewett (@JoshJewett33)

Entry added March 22, 2024

TCC

Available for: macOS Sonoma

Impact: An app may be able to access protected user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42932: Zhongquan Li (@Guluisacat)

TCC

Available for: macOS Sonoma

Impact: An app may be able to break out of its sandbox

Description: A path handling issue was addressed with improved validation.

CVE-2023-42947: Zhongquan Li (@Guluisacat) of Dawn Security Lab of JingDong

Entry added March 22, 2024

Transparency

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved restriction of data container access.

CVE-2023-40389: Csaba Fitzl (@theevilbit) of Offensive Security and Joshua Jewett (@JoshJewett33)

Entry added July 16, 2024

Vim

Available for: macOS Sonoma

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: This issue was addressed by updating to Vim version 9.0.1969.

CVE-2023-5344

WebKit

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830

CVE-2023-42890: Pwn2car

WebKit

Available for: macOS Sonoma

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349

CVE-2023-42883: Zoom Offensive Security Team

WebKit

Available for: macOS Sonoma

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 263682

CVE-2023-42950: Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute and rushikesh nandedkar

Entry added March 22, 2024

WebKit

Available for: macOS Sonoma

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263989

CVE-2023-42956: SungKwon Lee (Demon.Team)

Entry added March 22, 2024

Additional recognition

Memoji

We would like to acknowledge Jerry Tenenbaum for their assistance.

WebSheet

We would like to acknowledge Paolo Ruggero of e-phors S.p.A. (A FINCANTIERI S.p.A. Company) for their assistance.

Entry added March 22, 2024

Wi-Fi

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: