geplaatst door: Robert
https://www.macfreak.nl/modules/news/images/BigSur-icoon.jpg
Security updates voor macOS Big Sur en Catalina
Als er een update voor de huidige versie van macOS wordt uitgebracht dan komen kort daarna in de regel ook updates voor de twee voorgaande versies van het besturingssysteem voor de Mac. Tenminste, als er niet plotseling onverwachte vertragingen optreden.

Maar nu zijn ze er wel gewoon zoals verwacht, de Security Update 2022-004 Catalina en macOS Big Sur 11.6.6. De lijst aan opgeloste bugs voor het verbeteren van de veiligheid is enorm, en laat nog eens zien hoe belangrijk dit soort updates geworden zijn, en hoezeer alle besturingssystemen tegenwoordig constant onder vuur liggen.

https://www.macfreak.nl/modules/news/images/zArt.BigSurSafariMacBookPro.jpg
Security updates voor macOS Big Sur en Catalina


Hieronder de complete lijst voor Security Update 2022-004 Catalina, waarbij opvallend veel lekken in de Intel Graphics Driver bleken te zijn.

Citaat
apache
Available for: macOS Catalina
Impact: Multiple issues in apache
Description: Multiple issues were addressed by updating apache to version 2.4.53.
CVE-2021-44224
CVE-2021-44790
CVE-2022-22719
CVE-2022-22720
CVE-2022-22721

AppKit
Available for: macOS Catalina
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed with improved validation.
CVE-2022-22665: Lockheed Martin Red Team

AppleGraphicsControl
Available for: macOS Catalina
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

AppleScript
Available for: macOS Catalina
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro

AppleScript
Available for: macOS Catalina
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2022-26698: Qi Sun of Trend Micro

CoreTypes
Available for: macOS Catalina
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved checks to prevent unauthorized actions.
CVE-2022-22663: Arsenii Kostromin (0x3c3e)

CVMS
Available for: macOS Catalina
Impact: A malicious application may be able to gain root privileges
Description: A memory initialization issue was addressed.
CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori
CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori

DriverKit
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

Graphics Drivers
Available for: macOS Catalina
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.
CVE-2022-22674: an anonymous researcher

Intel Graphics Driver
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-26720: Liu Long of Ant Security Light-Year Lab

Intel Graphics Driver
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2022-26770: Liu Long of Ant Security Light-Year Lab

Intel Graphics Driver
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2022-26756: Jack Dates of RET2 Systems, Inc

Intel Graphics Driver
Available for: macOS Catalina
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2022-26769: Antonio Zekic (@antoniozekic)

Intel Graphics Driver
Available for: macOS Catalina
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative

Kernel
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs_sg)

Kernel
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2022-26757: Ned Williamson of Google Project Zero

libresolv
Available for: macOS Catalina
Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An integer overflow was addressed with improved input validation.
CVE-2022-26775: Max Shavrick (@_mxms) of the Google Security Team

LibreSSL
Available for: macOS Catalina
Impact: Processing a maliciously crafted certificate may lead to a denial of service
Description: A denial of service issue was addressed with improved input validation.
CVE-2022-0778

libxml2
Available for: macOS Catalina
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2022-23308

OpenSSL
Available for: macOS Catalina
Impact: Processing a maliciously crafted certificate may lead to a denial of service
Description: This issue was addressed with improved checks.
CVE-2022-0778

PackageKit
Available for: macOS Catalina
Impact: A malicious application may be able to modify protected parts of the file system
Description: This issue was addressed with improved entitlements.
CVE-2022-26727: Mickey Jin (@patch1t)

Printing
Available for: macOS Catalina
Impact: A malicious application may be able to bypass Privacy preferences
Description: This issue was addressed by removing the vulnerable code.
CVE-2022-26746: @gorelics

Security
Available for: macOS Catalina
Impact: A malicious app may be able to bypass signature validation
Description: A certificate parsing issue was addressed with improved checks.
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

SMB
Available for: macOS Catalina
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs

SoftwareUpdate
Available for: macOS Catalina
Impact: A malicious application may be able to access restricted files
Description: This issue was addressed with improved entitlements.
CVE-2022-26728: Mickey Jin (@patch1t)

TCC
Available for: macOS Catalina
Impact: An app may be able to capture a user's screen
Description: This issue was addressed with improved checks.
CVE-2022-26726: an anonymous researcher

Tcl
Available for: macOS Catalina
Impact: A malicious application may be able to break out of its sandbox
Description: This issue was addressed with improved environment sanitization.
CVE-2022-26755: Arsenii Kostromin (0x3c3e)

WebKit
Available for: macOS Catalina
Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript
Description: A validation issue was addressed with improved input sanitization.
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

Wi-Fi
Available for: macOS Catalina
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2022-26761: Wang Yu of Cyberserval

zip
Available for: macOS Catalina
Impact: Processing a maliciously crafted file may lead to a denial of service
Description: A denial of service issue was addressed with improved state handling.
CVE-2022-0530

zlib
Available for: macOS Catalina
Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-25032: Tavis Ormandy

zsh
Available for: macOS Catalina
Impact: A remote attacker may be able to cause arbitrary code execution
Description: This issue was addressed by updating to zsh version 5.8.1.
CVE-2021-45444


 #Update #Catalina #BigSur
Informatie over producten of diensten op MacFreak onder de aandacht brengen is hier te vinden.