All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com

Links on this site earn me fees or commissions.
As an Amazon Associate I earn from qualifying purchases @AMAZON

Consult with Lloyd: cameras, computers, backup, etc...
Lloyd’s Patreon
Designed for the most demanding needs of photographers and videographers.
Connect and charge all of your devices through a single Thunderbolt or USB-C port.

Concerned about macOS Security Fixes

2019-03-30 - SEND FEEDBACK

Related: Apple, Apple macOS, memory, security

Update: looks like my concerns were spot-on, that is, Apple released an updates to the update on March 30. For macOS High Sierra, the build number with the updated update should be macOS 10.13.6 (17G6030), as seen in About This Mac => System Report => Software.

MPG recommends the following settings for updates.

Recommended App Store preferences for system updates
(for those who travel and/or want security without unwanted updates)

Ambiguity issue with macOS security update (initial post)

I’m bothered by Apple’s ambiguity in About the security content of macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra.

Specifically there are two bad things at work and one of them must be true: either macOS 10.14 Mojave introduced some serious new bugs, or those bugs are not being fixed for macOS 10.13 High Sierra. Either way is bad, but I’d at least like to know the answer.

An excerpt below demonstrates why I am confused: if a bug is fixed in Mojave but not High Sierra, is it a new bug in Mojave only, or does the bug still exist in High Sierra? Apple doesn’t say. Either way looks like B-team work for Apple.

Bom
Available for: macOS Mojave 10.14.3  <== new bug or not fixed in High Sierra?
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved handling of file metadata.
CVE-2019-6239: Ian Moorhouse and Michael Trimm

CFString
Available for: macOS Mojave 10.14.3 <== new bug or not fixed in High Sierra?
Impact: Processing a maliciously crafted string may lead to a denial of service
Description: A validation issue was addressed with improved logic.
CVE-2019-8516: SWIPS Team of Frifee Inc.

configd
Available for: macOS Mojave 10.14.3 <== new bug or not fixed in High Sierra?
Impact: A malicious application may be able to elevate privileges
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2019-8552: Mohamed Ghannam (@_simo36)

Contacts
Available for: macOS Mojave 10.14.3 <== new bug or not fixed in High Sierra?
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2019-8511: an anonymous researcher

CoreCrypto
Available for: macOS Mojave 10.14.3 <== new bug or not fixed in High Sierra?
Impact: A malicious application may be able to elevate privileges
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8542: an anonymous researcher
DiskArbitration
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3  fixed for 3 macOS versions
Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password
Description: A logic issue was addressed with improved state management.
CVE-2019-8522: Colin Meginnis (@falc420)
...
View all handpicked deals...

Apple 16.2" MacBook Pro with M1 Max Chip (Late 2021, Space Gray)
$3499 $2399
SAVE $1100

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__