-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-10-25-2023-5 macOS Ventura 13.6.1 macOS Ventura 13.6.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213985. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. CoreAnimation Available for: macOS Ventura Impact: An app may be able to cause a denial-of-service Description: The issue was addressed with improved memory handling. CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w FileProvider Available for: macOS Ventura Impact: An app may be able to cause a denial-of-service to Endpoint Security clients Description: This issue was addressed by removing the vulnerable code. CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) Find My Available for: macOS Ventura Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2023-40413: Adam M. Foundation Available for: macOS Ventura Impact: A website may be able to access sensitive user data when resolving symlinks Description: This issue was addressed with improved handling of symlinks. CVE-2023-42844: Ron Masas of BreakPoint.SH Image Capture Available for: macOS Ventura Impact: An app may be able to access protected user data Description: The issue was addressed with improved checks. CVE-2023-41077: Mickey Jin (@patch1t) ImageIO Available for: macOS Ventura Impact: Processing an image may result in disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2023-40416: JZ IOTextEncryptionFamily Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-40423: an anonymous researcher iperf3 Available for: macOS Ventura Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: The issue was addressed with improved checks. CVE-2023-38403 Kernel Available for: macOS Ventura Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: The issue was addressed with improved memory handling. CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de ) Model I/O Available for: macOS Ventura Impact: Processing a file may lead to unexpected app termination or arbitrary code execution Description: The issue was addressed with improved memory handling. CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative Passkeys Available for: macOS Ventura Impact: An attacker may be able to access passkeys without authentication Description: The issue was addressed with additional permissions checks. CVE-2023-40401: an anonymous researcher, weize she Pro Res Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of 360 Vulnerability Research Institute talagent Available for: macOS Ventura Impact: An app may be able to access sensitive user data Description: A permissions issue was addressed with additional restrictions. CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) Weather Available for: macOS Ventura Impact: An app may be able to access sensitive user data Description: A privacy issue was addressed with improved private data redaction for log entries. CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of Computer Science, Romania WindowServer Available for: macOS Ventura Impact: A website may be able to access the microphone without the microphone use indicator being shown Description: This issue was addressed by removing the vulnerable code. CVE-2023-41975: an anonymous researcher Additional recognition GPU Drivers We would like to acknowledge an anonymous researcher for their assistance. libarchive We would like to acknowledge Bahaa Naamneh for their assistance. libxml2 We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project Zero for their assistance. macOS Ventura 13.6.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y38ACgkQX+5d1TXa Ivp+exAAw1mhJG3ak3Vbixgq7vCy2CVcwwT1ISygYRdE0vJ2BPJVVMiNtflLuqoG wLazegOLQkj8VFYt4tWHC+mceX7NWq6zDeoR/lvure5DkbeFRoiyzqJimqpzLhBL nqzTUPvu4xrsC3u0DTTsJscEbZPx8h2WxXo/Cd1pIS2ajSDS5qklQIj+foOgPgXF AawOcERzVIgScIPCS3M8sIbZz63FV2CjX2OE+flr5fPSFDq0vtrOwa46pGw3hLjW BKhTJjhaUDneN/qsTuj+5AmqwDrCBUPltOxLDI/vjRUX+LGPmJdsPmnVL0HShNk+ y87mbJtrXrHv6IrvcjdHfbglJVX+jjBsoGoUadM2qLNCoVK7vrfSvoFsba09Z3U+ YK/1DCPVGq253vDfdWfoNsMUorCOP6CwmGZARMM+FErD3rUqxm3XBpZ3Jv4sLBvv fYyMLsn7YCBj31VzFafbliKGfduu7iijTdnfgTXEuNviTcOozeag8uNc0IW5tJKG bOEq6teHBXSiVQ5V84/K0hndN/DGiTXrQPJw0rjZ3V7N0olCyMdvXFGUhoDYVY5L WgKEpYgIJn44644Jzuj4gXEbc+sDlm+027OS2u5KrxNCtEIO2iLKTfc8dd2yJeq2 CmMdV3N0L4smeLelGxZAtcwJc4Rdjh0Skair1iossxep+PGWAAo=kCLD -----END PGP SIGNATURE-----