-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-03-24-2 macOS Catalina 10.15.4, Security Update
2020-002 Mojave, Security Update 2020-002 High Sierra

macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security
Update 2020-002 High Sierra are now available and address the
following:

Apple HSSPI Support
Available for: macOS Catalina 10.15.3
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team

AppleGraphicsControl
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved state management.
CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team

AppleMobileFileIntegrity
Available for: macOS Catalina 10.15.3
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-3883: Linus Henze (pinauten.de)

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3907: Yu Wang of Didi Research America
CVE-2020-3908: Yu Wang of Didi Research America
CVE-2020-3912: Yu Wang of Didi Research America

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab

Bluetooth
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-3892: Yu Wang of Didi Research America
CVE-2020-3893: Yu Wang of Didi Research America
CVE-2020-3905: Yu Wang of Didi Research America

Call History
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to access a user's call
history
Description: This issue was addressed with a new entitlement.
CVE-2020-9776: Benjamin Randazzo (@____benjamin)

CoreFoundation
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to elevate privileges
Description: A permissions issue existed. This issue was addressed
with improved permission validation.
CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

FaceTime
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to view sensitive user information
Description: A logic issue was addressed with improved state
management.
CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion -
Israel Institute of Technology

Icons
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to identify what other
applications a user has installed
Description: The issue was addressed with improved handling of icon
caches.
CVE-2020-9773: Chilik Tamir of Zimperium zLabs

Intel Graphics Driver
Available for: macOS Catalina 10.15.3
Impact: A malicious application may disclose restricted memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2019-14615: Wenjian HE of Hong Kong University of Science and
Technology, Wei Zhang of Hong Kong University of Science and
Technology, Sharad Sinha of Indian Institute of Technology Goa, and
Sanjeev Das of University of North Carolina

IOHIDFamily
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2020-3919: an anonymous researcher

IOThunderboltFamily
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and
Luyi Xing of Indiana University Bloomington

Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2020-3914: pattern-f (@pattern_F_) of WaCai

Kernel
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: Multiple memory corruption issues were addressed with
improved state management.
CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz

libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3910: LGTM.com

Mail
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A remote attacker may be able to cause arbitrary javascript
code execution
Description: An injection issue was addressed with improved
validation.
CVE-2020-3884: Apple

sudo
Available for: macOS Catalina 10.15.3
Impact: An attacker may be able to run commands as a non-existent
user
Description: This issue was addressed by updating to sudo version
1.8.31.
CVE-2019-19232

TCC
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A maliciously crafted application may be able to bypass code
signing enforcement
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3906: Patrick Wardle of Jamf

Vim
Available for: macOS Catalina 10.15.3
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating to version
8.1.1850.
CVE-2020-9769: Steve Hahn from LinkedIn

Additional recognition

CoreText
We would like to acknowledge an anonymous researcher for their
assistance.

FireWire Audio
We would like to acknowledge Xiaolong Bai and Min (Spark) Zheng of
Alibaba Inc. and Luyi Xing of Indiana University Bloomington for
their assistance.

FontParser
We would like to acknowledge Matthew Denton of Google Chrome for
their assistance.

Install Framework Legacy
We would like to acknowledge Pris Sears of Virginia Tech, Tom Lynch
of UAL Creative Computing Institute, and an anonymous researcher for
their assistance.

LinkPresentation
We would like to acknowledge Travis for their assistance.

OpenSSH
We would like to acknowledge an anonymous researcher for their
assistance.

rapportd
We would like to acknowledge Alexander Heinrich (@Sn0wfreeze) of
Technische Universität Darmstadt for their assistance.

Sidecar
We would like to acknowledge Rick Backley (@rback_sec) for their
assistance.

Installation note:

macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security
Update 2020-002 High Sierra may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.64

iQIcBAEDCAAGBQJeejDOAAoJEAc+Lhnt8tDNTtkP/RRnnsXeWXRjFHoRf7P+npKE
Je0ZSoqv08Tgmv+Q0voSdCFZjFAqKXviVgZTGFT7LsuUWqdZEATxkB1fevt7t3Bl
qXWNGpna3mGqWl6I2cWKxVOHT9fysO/31ADgFIwgOWSodvImNdp/JBpOcyRqcFJc
B3TpNq8xtKSpWBVrq0TVHRWMu87VJHkGi78jAJ4x7qgXyWICf3usa9ajqYqzV99m
6/DrIH4s2Um2zJVi4YyzK0+rR2B2Q1eO8CFuzUB9D1HKCEnRXoRfALFC8v83p7cC
m46CarISSrnMEYkxNhxsOGQbcMyBR3GDNZlo8/Y+Syqgwp3AKWbRFUDDM9vbCv6F
z1fkWBmGftcd6G8dqO0dMAR6asglg9z2/GF/+3pZh5Mmmd7EBX+YeA84BhDTTsTs
671Af+F8OxSqgRV8qe+dbiFbD9qylM1luJD98PzoiFMO3h29fS41ofpuA6BTrdQN
JPWY0NwTS11xQb11LHhXm7nF9vsrCIIspauOfkLbpCx6AWJQ/FpPyIXBYUEJ50ho
NWWv4jmT+v8PSC2tSM0yMeI4OJX/+yd91uKLqzGGr1x2zshrXoMx0VDpg8HJkLfT
y7CSgFrBGO8AgrcsZ6I8nDleoBsrEpLh2qEil7GexwoyUrVvfxCueW0shv4Oo4gf
ZHp7Jd+FZIoCP69dNnxG
=AUHy
-----END PGP SIGNATURE-----