-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-12-15-2 macOS Monterey 12.1

macOS Monterey 12.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212978.

Airport
Available for: macOS Monterey
Impact: A device may be passively tracked via BSSIDs
Description: An access issue was addressed with improved access
restrictions.
CVE-2021-30987: Jason Meller, Fritz Ifert-Miller, and Joseph Sokol-
Margolis of Kolide

Archive Utility
Available for: macOS Monterey
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state
management.
CVE-2021-30950: @gorelics

Audio
Available for: macOS Monterey
Impact: Parsing a maliciously crafted audio file may lead to
disclosure of user information
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30960: JunDong Xie of Ant Security Light-Year Lab

Bluetooth
Available for: macOS Monterey
Impact: A device may be passively tracked by its Bluetooth MAC
address
Description: A device configuration issue was addressed with an
updated configuration.
CVE-2021-30986: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc.

CFNetwork Proxies
Available for: macOS Monterey
Impact: User traffic might unexpectedly be leaked to a proxy server
despite PAC configurations
Description: A logic issue was addressed with improved state
management.
CVE-2021-30966: Michal Rajcan of Jamf, Matt Vlasach of Jamf (Wandera)

ColorSync
Available for: macOS Monterey
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue in the processing of ICC
profiles was addressed with improved input validation.
CVE-2021-30926: Jeremy Brown
CVE-2021-30942: Mateusz Jurczyk of Google Project Zero

CoreAudio
Available for: macOS Monterey
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30957: JunDong Xie of Ant Security Light-Year Lab

CoreAudio
Available for: macOS Monterey
Impact: Playing a malicious audio file may lead to arbitrary code
execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30958: JunDong Xie of Ant Security Light-Year Lab

Crash Reporter
Available for: macOS Monterey
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30945: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Graphics Drivers
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2021-30977: Jack Dates of RET2 Systems, Inc.

ImageIO
Available for: macOS Monterey
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30939: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab, Mickey Jin (@patch1t) of Trend Micro

Intel Graphics Driver
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2021-30981: Liu Long of Ant Security Light-Year Lab, an anonymous
researcher

IOMobileFrameBuffer
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30996: Saar Amar (@AmarSaar)

IOUSBHostFamily
Available for: macOS Monterey
Impact: A remote attacker may be able to cause unexpected application
termination or heap corruption
Description: A race condition was addressed with improved locking.
CVE-2021-30982: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC
Riverside, and Yu Wang of Didi Research America

Kernel
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption vulnerability was addressed with
improved locking.
CVE-2021-30937: Sergei Glazunov of Google Project Zero

Kernel
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30927: Xinru Chi of Pangu Lab
CVE-2021-30980: Xinru Chi of Pangu Lab

Kernel
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-30949: Ian Beer of Google Project Zero

Kernel
Available for: macOS Monterey
Impact: An attacker in a privileged network position may be able to
execute arbitrary code
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30993: OSS-Fuzz, Ned Williamson of Google Project Zero

Kernel
Available for: macOS Monterey
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30955: Zweig of Kunlun Lab

LaunchServices
Available for: macOS Monterey
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state
management.
CVE-2021-30976: chenyuwang (@mzzzz__) and Kirin (@Pwnrin) of Tencent
Security Xuanwu Lab

LaunchServices
Available for: macOS Monterey
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved validation.
CVE-2021-30990: Ron Masas of BreakPoint.sh

Model I/O
Available for: macOS Monterey
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30971: Ye Zhang (@co0py_Cat) of Baidu Security

Model I/O
Available for: macOS Monterey
Impact: Processing a maliciously crafted file may disclose user
information
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-30973: Ye Zhang (@co0py_Cat) of Baidu Security

Model I/O
Available for: macOS Monterey
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-30929: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab

Model I/O
Available for: macOS Monterey
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30979: Mickey Jin (@patch1t) of Trend Micro

Model I/O
Available for: macOS Monterey
Impact: Processing a maliciously crafted USD file may disclose memory
contents
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30940: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab
CVE-2021-30941: Rui Yang and Xingwei Lin of Ant Security Light-Year
Lab

Preferences
Available for: macOS Monterey
Impact: A malicious application may be able to elevate privileges
Description: A race condition was addressed with improved state
handling.
CVE-2021-30995: Mickey Jin (@patch1t) of Trend Micro, Mickey Jin
(@patch1t)

Sandbox
Available for: macOS Monterey
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A validation issue related to hard link behavior was
addressed with improved sandbox restrictions.
CVE-2021-30968: Csaba Fitzl (@theevilbit) of Offensive Security

Sandbox
Available for: macOS Monterey
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30946: @gorelics

Sandbox
Available for: macOS Monterey
Impact: An application may be able to access a user's files
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2021-30947: Csaba Fitzl (@theevilbit) of Offensive Security

Script Editor
Available for: macOS Monterey
Impact: A malicious OSAX scripting addition may bypass Gatekeeper
checks and circumvent sandbox restrictions
Description: This issue was addressed by disabling execution of
JavaScript when viewing a scripting dictionary.
CVE-2021-30975: Ryan Pickren (ryanpickren.com)

TCC
Available for: macOS Monterey
Impact: A local user may be able to modify protected parts of the
file system
Description: A logic issue was addressed with improved state
management.
CVE-2021-30767: @gorelics

TCC
Available for: macOS Monterey
Impact: A malicious application may be able to bypass Privacy
preferences
Description: An inherited permissions issue was addressed with
additional restrictions.
CVE-2021-30964: Andy Grant of Zoom Video Communications

TCC
Available for: macOS Monterey
Impact: A malicious application may be able to bypass Privacy
preferences
Description: A logic issue was addressed with improved state
management.
CVE-2021-30970: Jonathan Bar Or of Microsoft

TCC
Available for: macOS Monterey
Impact: A malicious application may be able to cause a denial of
service to Endpoint Security clients
Description: A logic issue was addressed with improved state
management.
CVE-2021-30965: Csaba Fitzl (@theevilbit) of Offensive Security

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2021-30934: Dani Biro

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-30936: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua
wingtecher lab
CVE-2021-30951: Pangu

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2021-30952: WeBin

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A race condition was addressed with improved state
handling.
CVE-2021-30984: Kunlun Lab

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-30953: VRIJ

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2021-30954: Kunlun Lab

Wi-Fi
Available for: macOS Monterey
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: This issue was addressed with improved checks.
CVE-2021-30938: Xinru Chi of Pangu Lab

Additional recognition

Admin Framework
We would like to acknowledge Simon Andersen of Aarhus University and
Pico Mitchell for their assistance.

Bluetooth
We would like to acknowledge Haram Park, Korea University for their
assistance.

CloudKit
We would like to acknowledge Ryan Pickren (ryanpickren.com) for their
assistance.

ColorSync
We would like to acknowledge Mateusz Jurczyk of Google Project Zero
for their assistance.

Contacts
We would like to acknowledge Minchan Park (03stin) for their
assistance.

Kernel
We would like to acknowledge Amit Klein of Bar-Ilan University's
Center for Research in Applied Cryptography and Cyber Security for
their assistance.

Model I/O
We would like to acknowledge Rui Yang and Xingwei Lin of Ant Security
Light-Year Lab for their assistance.

WebKit
We would like to acknowledge Jzhu, Peter Snyder of Brave, and Soroush
Karami for their assistance.

Installation note:
This update may be obtained from the Mac App Store

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmG6UnQACgkQeC9qKD1p
rhjTWxAAgLq1g4FPZ9i7F89gyuMX+STs0qfn8cIyrS1Qo0F0Iu3GU/7ylecdtRYB
mfYXE4GSitjUmnm4mXIMdGh1A1jGLf50Z6kgzriYAnbqqq329ImBf12bX7oCLSgU
3xoVjcVTmco9a7vO1SH/c+Fo9DT+uITaY+QIk5imdEWOxQItiNjH46ITcOM1JITk
eC5GEsDHDrNzLNrbbN+gocdyWFYVnahbj6mXE7yiBPYpzAw8e4JPVaf/jCoR7U+7
ibG4X+VvDl5Pfb6yxeLxUhPdfdihvOu9dQrUJoJv6TTaNR8tCiNrq1hFGURucmaL
QJp6HRHAbHH8XGSijLANs5ygfP6JMu+LtEQ4YUiH6CFlZlPlSYEQ4h8flZF7Pagj
e4efK1rCg0dUWhAmiQOujqhOFAEGKTfcah4ETppOhhbdB6fz3ObAObNLTFhqXGv1
PONN5VTLj9iMI4HHblafxa1tpxYiEHmVLU6+UxellGTcnGnyVprTuZNrQksoepEM
KJpgmMHOWZQTQmEoqUfaTp/DsHAp7wvTFzVOwlvWlZ+J0VcZCHkNpuxGZQHI4TLo
44QRLDzsvlelbL1pqi2ww8LG6tcTgmc1ZIMbqY8pIaFnTQ0cDUyC0V3tp0q7U3bk
YbqtZoi9gsiWm5D/nTq6NDi8z7eXYCvSjZFnMA0xfXHqu43zUs4=jF2e
-----END PGP SIGNATURE-----