Apple、「macOS Mojave 10.14.6」をリリース 不具合と44件の脆弱性を修正

macOS 10.14.6アップデート   –– 再起動が必要です

macOS Mojave 10.14.6アップデートでは、お使いのMacの安定性と信頼性が改善されます。このアップデートは、すべてのユーザに推奨されます。

このアップデートの内容:

• Fusion Driveを搭載したiMacおよびMac miniで新規Boot Campパーティションを作成できない問題を修正

• 再起動中にハングすることがある問題を解消

• スリープ解除したときに発生することがあるグラフィックスの問題を解消

• Mac miniでフルスクリーンビデオが黒く表示されることがある問題を修正

• SMBによるファイル共有の信頼性を向上

このアップデートについて詳しくは、こちらを参照してください: https://support.apple.com/kb/HT209149

このアップデートのセキュリティコンテンツについて詳しくは、こちらを参照してください

macOS Mojave 10.14.6追加アップデート   –– 再起動が必要です

macOS Mojave 10.14.6追加アップデートでは、一部のMacで正常にスリープ解除されないことがある問題が修正されました。


Appleソフトウェア・アップデートのセキュリティコンテンツについては、このWebサイトを参照してください

Apple、「macOS Mojave 10.14.6」をリリース ~不具合と44件の脆弱性を修正

 米Appleは7月22日(現地時間)、「macOS Mojave 10.14.6」をリリースした。「macOS Mojave」のユーザーは、無償でアップデートできる。

 本バージョンはは安定性、互換性、およびセキュリティを目的としたメンテナンスアップデート。“Fusion Drive”を搭載した一部モデルで新規に「Boot Camp」パーティションを作成できない問題や、再起動中にハングする問題、スリープ解除したときに発生するグラフィックスの問題、“Mac mini”でフルスクリーンビデオが黒く表示される問題などが解決された。また、「SMB」を利用したファイル共有の信頼性が向上しているという。

 また、脆弱性の修正も行われているので注意。旧バージョンの「macOS High Sierra」「macOS Sierra」に対しても、セキュリティ更新プログラム「Security Update 2019-004」が提供されている。

 同社が公表したセキュリティ情報によると、これらのOSで修正された脆弱性はCVE番号ベースで44件。任意のコード実行、機密情報の漏洩、セキュリティ機能「Gatekeeper」の迂回などにつながる恐れがあり、早急なアップデートが必要だ。

 また、Webブラウザー「Safari」にもセキュリティアップデートが提供されている。最新版の「Safari 12.1.2」では、CVE番号ベースで23件の脆弱性が修正された。

macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra

Released July 22, 2019

AppleGraphicsControl

Available for: macOS Mojave 10.14.5

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8693: Arash Tohidi of Solita

autofs

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.5, macOS High Sierra 10.13.6

Impact: Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files mounted through a network share.

CVE-2019-8656: Filippo Cavallarin

Bluetooth

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2018-19860

Carbon Core

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8661: Natalie Silvanovich of Google Project Zero

Core Data

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and Natalie Silvanovich of Google Project Zero

Disk Management

Available for: macOS Mojave 10.14.5

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8697: ccpwd working with Trend Micro’s Zero Day Initiative

FaceTime

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu

Found in Apps

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to leak memory

Description: This issue was addressed with improved checks.

CVE-2019-8663: Natalie Silvanovich of Google Project Zero

Foundation

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero

Grapher

Available for: macOS Mojave 10.14.5

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8695: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Graphics Drivers

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8691: Aleksandr Tarasikov (@astarasikov), Arash Tohidi of Solita, Lilang Wu and Moony Li of Trend Micro

CVE-2019-8692: Lilang Wu and Moony Li of Trend Micro

Heimdal

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

IOAcceleratorFamily

Available for: macOS Mojave 10.14.5

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8694: Arash Tohidi of Solita

libxslt

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

Quick Look

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: Natalie Silvanovich and Samuel Groß of Google Project Zero

Safari

Available for: macOS Mojave 10.14.5

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2019-8670: Tsubasa FUJII (@reinforchu)

Security

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8697: ccpwd working with Trend Micro’s Zero Day Initiative

Siri

Available for: macOS Mojave 10.14.5

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Time Machine

Available for: macOS Mojave 10.14.5

Impact: The encryption status of a Time Machine backup may be incorrect

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2019-8667: Roland Kletzing of cyber:con GmbH

UIFoundation

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.5

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

WebKit

Available for: macOS Mojave 10.14.5

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: an anonymous researcher, Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

Additional recognition

Classroom

We would like to acknowledge Jeff Johnson of underpassapp.com for their assistance.

Game Center

We would like to acknowledge Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc. for their assistance.

🍎たったひとつの真実見抜く、見た目は大人、頭脳は子供、その名は名馬鹿ヒカル!🍏