-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2022-03-14-4 macOS Monterey 12.3

macOS Monterey 12.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213183.

Accelerate Framework
Available for: macOS Monterey
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2022-22633: an anonymous researcher

AMD
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22669: an anonymous researcher

AppKit
Available for: macOS Monterey
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed with improved validation.
CVE-2022-22665: Lockheed Martin Red Team

AppleGraphicsControl
Available for: macOS Monterey
Impact: An application may be able to gain elevated privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22631: an anonymous researcher

AppleScript
Available for: macOS Monterey
Impact: Processing a maliciously crafted AppleScript binary may
result in unexpected application termination or disclosure of process
memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro

AppleScript
Available for: macOS Monterey
Impact: An application may be able to read restricted memory
Description: This issue was addressed with improved checks.
CVE-2022-22648: an anonymous researcher

AppleScript
Available for: macOS Monterey
Impact: Processing a maliciously crafted AppleScript binary may
result in unexpected application termination or disclosure of process
memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro
CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro

AppleScript
Available for: macOS Monterey
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro

BOM
Available for: macOS Monterey
Impact: A maliciously crafted ZIP archive may bypass Gatekeeper
checks
Description: This issue was addressed with improved checks.
CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley
(@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

curl
Available for: macOS Monterey
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating to curl
version 7.79.1.
CVE-2021-22946
CVE-2021-22947
CVE-2021-22945
CVE-2022-22623

FaceTime
Available for: macOS Monterey
Impact: A user may send audio and video in a FaceTime call without
knowing that they have done so
Description: This issue was addressed with improved checks.
CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael
Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa
of Rutgers University, and Bao Nguyen of the University of Florida

ImageIO
Available for: macOS Monterey
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2022-22611: Xingyu Jin of Google

ImageIO
Available for: macOS Monterey
Impact: Processing a maliciously crafted image may lead to heap
corruption
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2022-22612: Xingyu Jin of Google

Intel Graphics Driver
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A type confusion issue was addressed with improved state
handling.
CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba
Security Pandora Lab

IOGPUFamily
Available for: macOS Monterey
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22641: Mohamed Ghannam (@_simo36)

Kernel
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22613: Alex, an anonymous researcher

Kernel
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22614: an anonymous researcher
CVE-2022-22615: an anonymous researcher

Kernel
Available for: macOS Monterey
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state
management.
CVE-2022-22632: Keegan Saunders

Kernel
Available for: macOS Monterey
Impact: An attacker in a privileged position may be able to perform a
denial of service attack
Description: A null pointer dereference was addressed with improved
validation.
CVE-2022-22638: derrek (@derrekr6)

Kernel
Available for: macOS Monterey
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22640: sqrtpwn

libarchive
Available for: macOS Monterey
Impact: Multiple issues in libarchive
Description: Multiple memory corruption issues existed in libarchive.
These issues were addressed with improved input validation.
CVE-2021-36976

Login Window
Available for: macOS Monterey
Impact: A person with access to a Mac may be able to bypass Login
Window
Description: This issue was addressed with improved checks.
CVE-2022-22647: an anonymous researcher

LoginWindow
Available for: macOS Monterey
Impact: A local attacker may be able to view the previous logged in
user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved
state management.
CVE-2022-22656

GarageBand MIDI
Available for: macOS Monterey
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2022-22657: Brandon Perry of Atredis Partners

GarageBand MIDI
Available for: macOS Monterey
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2022-22664: Brandon Perry of Atredis Partners

NSSpellChecker
Available for: macOS Monterey
Impact: A malicious application may be able to access information
about a user's contacts
Description: A privacy issue existed in the handling of Contact
cards. This was addressed with improved state management.
CVE-2022-22644: an anonymous researcher

PackageKit
Available for: macOS Monterey
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved state
management.
CVE-2022-22617: Mickey Jin (@patch1t)

Preferences
Available for: macOS Monterey
Impact: A malicious application may be able to read other
applications' settings
Description: The issue was addressed with additional permissions
checks.
CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)
of Tencent Security Xuanwu Lab (xlab.tencent.com)

QuickTime Player
Available for: macOS Monterey
Impact: A plug-in may be able to inherit the application's
permissions and access user data
Description: This issue was addressed with improved checks.
CVE-2022-22650: Wojciech Reguła (@_r3ggi) of SecuRing

Safari Downloads
Available for: macOS Monterey
Impact: A maliciously crafted ZIP archive may bypass Gatekeeper
checks
Description: This issue was addressed with improved checks.
CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley
(@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

Sandbox
Available for: macOS Monterey
Impact: A malicious application may be able to bypass certain Privacy
preferences
Description: The issue was addressed with improved permissions logic.
CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited,
Khiem Tran

Siri
Available for: macOS Monterey
Impact: A person with physical access to a device may be able to use
Siri to obtain some location information from the lock screen
Description: A permissions issue was addressed with improved
validation.
CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin,
McCombs School of Business (linkedin.com/andrew-goldberg/)

SMB
Available for: macOS Monterey
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2022-22651: Felix Poulin-Belanger

SoftwareUpdate
Available for: macOS Monterey
Impact: An application may be able to gain elevated privileges
Description: A logic issue was addressed with improved state
management.
CVE-2022-22639: Mickey Jin (@patch1t)

System Preferences
Available for: macOS Monterey
Impact: An app may be able to spoof system notifications and UI
Description: This issue was addressed with a new entitlement.
CVE-2022-22660: Guilherme Rambo of Best Buddy Apps (rambo.codes)

UIKit
Available for: macOS Monterey
Impact: A person with physical access to an iOS device may be able to
see sensitive information via keyboard suggestions
Description: This issue was addressed with improved checks.
CVE-2022-22621: Joey Hewitt

Vim
Available for: macOS Monterey
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating Vim.
CVE-2021-4136
CVE-2021-4166
CVE-2021-4173
CVE-2021-4187
CVE-2021-4192
CVE-2021-4193
CVE-2021-46059
CVE-2022-0128
CVE-2022-0156
CVE-2022-0158

VoiceOver
Available for: macOS Monterey
Impact: A user may be able to view restricted content from the lock
screen
Description: A lock screen issue was addressed with improved state
management.
CVE-2021-30918: an anonymous researcher

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may disclose
sensitive user information
Description: A cookie management issue was addressed with improved
state management.
WebKit Bugzilla: 232748
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 232812
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
WebKit Bugzilla: 233172
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab
WebKit Bugzilla: 234147
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit
Available for: macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
WebKit Bugzilla: 234966
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro
Zero Day Initiative

WebKit
Available for: macOS Monterey
Impact: A malicious website may cause unexpected cross-origin
behavior
Description: A logic issue was addressed with improved state
management.
WebKit Bugzilla: 235294
CVE-2022-22637: Tom McKee of Google

Wi-Fi
Available for: macOS Monterey
Impact: A malicious application may be able to leak sensitive user
information
Description: A logic issue was addressed with improved restrictions.
CVE-2022-22668: MrPhil17

xar
Available for: macOS Monterey
Impact: A local user may be able to write arbitrary files
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2022-22582: Richard Warren of NCC Group

Additional recognition

AirDrop
We would like to acknowledge Omar Espino (omespino.com), Ron Masas of
BreakPoint.sh for their assistance.

Bluetooth
We would like to acknowledge an anonymous researcher, chenyuwang
(@mzzzz__) of Tencent Security Xuanwu Lab for their assistance.

Face Gallery
We would like to acknowledge Tian Zhang (@KhaosT) for their
assistance.

Intel Graphics Driver
We would like to acknowledge Jack Dates of RET2 Systems, Inc., Yinyi
Wu (@3ndy1) for their assistance.

Local Authentication
We would like to acknowledge an anonymous researcher for their
assistance.

Notes
We would like to acknowledge Nathaniel Ekoniak of Ennate Technologies
for their assistance.

Password Manager
We would like to acknowledge Maximilian Golla (@m33x) of Max Planck
Institute for Security and Privacy (MPI-SP) for their assistance.

Siri
We would like to acknowledge an anonymous researcher for their
assistance.

syslog
We would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for
their assistance.

TCC
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.

UIKit
We would like to acknowledge Tim Shadel of Day Logger, Inc. for their
assistance.

WebKit
We would like to acknowledge Abdullah Md Shaleh for their assistance.

WebKit Storage
We would like to acknowledge Martin Bajanik of FingerprintJS for
their assistance.

macOS Monterey 12.3 may be obtained from the Mac App Store or Apple's
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmIv0O4ACgkQeC9qKD1p
rhjGGRAAjqIyEzN+LAk+2uzHIMQNEwav9fqo/ZNoYAOzNgActK56PIC/PBM3SzHd
LrGFKbBq/EMU4EqXT6ycB7/uZfaAZVCBDNo1qOoYNHXnKtGL2Z/96mV14qbSmRvC
jfg1pC0G1jPTxJKvHhuQSZHDGj+BI458fwuTY48kjCnzlWf9dKr2kdjUjE38X9RM
0upKVKqY+oWdbn5jPwgZ408NOqzHrHDW1iIYd4v9UrKN3pfMGDzVZTr/offL6VFL
osOVWv1IZvXrhPsrtd2KfG0hTHz71vShVZ7jGAsGEdC/mT79zwFbYuzBFy791xFa
rizr/ZWGfWBSYy8O90d1l13lDlE739YPc/dt1mjcvP9FTnzMwBagy+6//zAVe0v/
KZOjmvtK5sRvrQH54E8qTYitdMpY2aZhfT6D8tcl+98TjxTDNXXj/gypdCXNWqyB
L1PtFhTjQ0WnzUNB7sosM0zAjfZ1iPAZq0XHDQ6p6gEdVavNOHo/ekgibVm5f1pi
kwBHkKyq55QbzipDWwXl6Owk/iaHPxgENYb78BpeUQSFei+IYDUsyLkPh3L95PHZ
JSyKOtbBArlYOWcxlYHn+hDK8iotA1c/SHDefYOoNkp1uP853Ge09eWq+zMzUwEo
GXXJYMi1Q8gmJ9wK/A3d/FKY4FBZxpByUUgjYhiMKTU5cSeihaI=
=RiA+
-----END PGP SIGNATURE-----