Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference.

Thursday, May 16, 2024 14:00

While I one day wish to make it to the RSA Conference in person, I’ve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. 

Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didn’t miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.  

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. 

**AI is the talk of the town** 

This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.  

AI and its associated tools were part of all sorts of product announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).  

Cisco’s own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a “bolt-on” to compete with attackers.  

U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.’ global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing — and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.  

Individual talks ran the gamut from “AI is the best thing ever for security!” to “Oh boy AI is going to ruin everything.” The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.  

An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.  

**Vendors vow to build security into product designs** 

Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.  

The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.  

However, there’s looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesn’t live up to these promises.  

**New technologies countering deepfakes** 

Deepfake images and videos are rapidly spreading online and pose a grave threat to the already fading faith many of us had in the internet. 

It can be difficult to detect when users are looking at a digitally manipulated image or video unless they’re educated on common red flags to look for, or if they’re particularly knowledgeable on the subject in question. They’re getting so good now that even targets’ parents are falling for fake videos of their loved ones.  

Some potential solutions discussed at RSA include digital “watermarks” in things like virtual meetings and video recordings with immutable metadata.  

A deep fake-detecting startup was also named RSA’s “Most Innovative Startup 2024” for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, “utilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.” 

Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.  

**The one big thing **

Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services. In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of “important” severity. There is only one moderate-severity vulnerability. 

**Why do I care? **

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities. 

**So now what? **

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912. 

**Top security headlines of the week **

**A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week.** Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press) 

**Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations.** The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the owner’s smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targets’ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. “This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” Apple said in its announcement of the rollout. (Security Week, Apple) 

**The popular Christie’s online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack.** The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christie’s said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC) 

**Can’t get enough Talos? **

*   Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities 
*   Click Here Ep. #130: A wrinkle in time: GPS jamming in Ukraine and its ripple effects 
*   Talos Takes Ep. #184: Why CoralRaider is looking to steal your login credentials 
*   Generative AI’s disinformation threat is ‘overblown,’ top cyber expert says 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Rounding up some of the major headlines from RSA

iOS users are reporting that photos they had deleted long ago suddenly showed up again after this week's 17.5 update.

iPhone owners are reporting that photos they’d deleted are now back on their phones, after updating to iOS 17.5.

With so many users reporting similar oddities, it would seem something went wrong, or at least different than to be expected. Here are some examples from Reddit:

> “When in conversation with my partner, I went to send a picture and saw that the latest pictures were nsfw material we’d made years ago”

> “I have four pics from 2010 that keep reappearing as the latest pics uploaded to iCloud. I have deleted them repeatedly.”

> “Same thing happened to me. Six photos from different times, all I have deleted. Some I had deleted in 2023.”

When you delete a photo from an iPhone or iPad, it goes into a “Recently deleted” album for up to 30 days to make it easy to recover if the photo is accidentally deleted. However, the above examples vastly exceed this timeframe, and it’s unclear exactly what’s happened here.

When you delete a file, actually all that happens is you remove the pointer that tells you where exactly the file is located. This makes it hard to find, but not impossible. Until the system uses the location of the deleted file and replaces it with other data, the file can be retrieved.

Apple’s last update for iOS 17.5 and iPadOS 17.5 came out on Monday with a warning to update your iPhone as soon as possible. That’s because iOS 17.5 fixes 15 security vulnerabilities, some of which are serious. Please don’t let this article stop you from installing the update, but it’s good to be prepared for some unexpected behavior.

At the time of writing, Apple hasn’t commented on the issue.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Deleted iPhone photos show up again after iOS update 

Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties.

Talos releases new macOS open-source fuzzer

Google is introducing new AI-powered safety tools in Android 15 that can lock down your phone if thieves nab it.

Billions of Android phones are getting new tools to stop phone thieves from accessing your information and to slow down their criminal behavior, Google announced today at its I/O developer conference. Android phones will soon use artificial intelligence to automatically detect when they have been snatched from your hand and lock themselves, as part of the new changes that include adding extra protections to secure your phone if it has been stolen.

The upgrades—some of which will come with the Android 15 operating system, while others will be compatible with older phones—come as phone companies are increasingly building extra measures into their software to thwart rampant levels of phone thefts and further protect people’s data. As well as the stolen phone tools, Google is introducing new changes to Android 15 that will scan how apps are using “sensitive permissions” in real time to detect potentially suspicious app activities.

Around the world, phone thefts are a huge problem—in London, for example, a phone is stolen every six minutes. Thieves riding electric bikes or scooters can snatch phones out of people’s hands, pickpockets can easily nab devices from bags, and others are known to peer over shoulders to learn a phone’s PIN before they steal the device.

Stolen phones can be resold if they are unlocked or passed on to others who can break them down for parts and sell those components. However, some criminals will also try to access banking or crypto apps and transfer money. “The thieves profit from the physical device themselves, but they also increasingly are trying to get into the content of the device, where the most valuable data is stored,” Jianing Sandra Guo, an Android security and privacy product manager at Google, tells WIRED. Some thieves, if they have a locked phone, spam people with phishing emails and messages to friends to try and get login details.

Google’s anti-theft tools have been designed to add more protection before a phone is stolen, during the theft, and after a phone has been taken, Guo explains. In keeping with Google’s and the wider tech industry’s push, some of these have been built using artificial intelligence as a key component.

Courtesy of Google

Android’s new Theft Detection Lock uses Google’s AI to determine when your phone has been snatched from your hand. If it detects this, the phone’s screen will automatically be locked. Using smartphone sensors, such as the accelerometer and gyroscope, Google trained its algorithms to detect sudden changes in the phone’s positioning and the motions that might indicate it has been snatched.

“There’s a grabbing of the phone, changing hands, and then an attacker running, biking, or even driving away with a device,” Guo says. To train the algorithm, Google’s research staff studied how phones are commonly stolen, then its teams re-created snatching events against each other to collect data about what a simulated theft looks like.

Thieves stealing phones, Guo says, will often open the camera app when they don’t know the phone’s PIN, to stop them from losing access to the device. They also often try to disconnect it from cell networks for a long period of time so they can’t be locked out of the device remotely. The company’s new Offline Device Lock will lock your screen when the phone is offline for an extended period of time, if the setting is turned on.

To increase protections before a phone is stolen, Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

There’s also a new “private spaces” option where you can store sensitive apps, such as banking apps, that require a second PIN or use of your biometrics, such as a fingerprint, to access. There are also extra authentication controls being put in place: If a thief tries to disable Google's Find My Device location-tracking service they will need to also use your PIN, password, or biometric information to unlock it. If a thief does know your PIN, it will also be possible to turn on the need for biometric authentication to make changes to important Google account and device settings, such as a PIN change or turning off anti-theft settings.

The extra authentication features are similar to those introduced by Apple in its Stolen Device Protection system that debuted in iOS 17.3 earlier this year, although Google’s theft motion detection goes further than these tools. The aim of all anti-theft options is to lock down the information stored on phones but also to make it harder for criminals to abuse devices when they have them. Making it more difficult for criminals to resell phones or transfer money may help to deter thefts.

If your phone does get stolen, Android already allows phones to be locked and wiped. However, Guo says, the experience of having a phone swiped from your hands is a “traumatic” experience, and in the aftermath, people may not remember all their Google account login details to close off access to the phone. To address this, Google’s new Remote Lock feature will allow people to lock their phone using just a phone number. “The content of the device is protected, and it buys the user a lot of time … to be able to organize themselves and do further remediation,” Guo says.

Google’s new protections around factory resets will launch with Android 15, while some of the other features will be available later this year. Guo says that, where possible, Google has tried to make the features work on versions of the software as old as Android 10.

Aside from the anti-phone-theft tools, Android is coming with other security and privacy updates. Google’s app safety system, Google Play Protect, scans billions of apps every day to detect malware, but now this is being expanded to do live scanning on people’s phones to better detect suspicious behavior. “With live threat detection, Google Play Protect’s on-device AI will analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services,” Dave Kleidermacher, a Google vice president, writes in a blog post.

Other security-related updates to Android 15 include hiding notifications and one-time passwords from appearing if you are sharing your phone’s screen with others, hiding login details if you are logging in to an app or website while sharing your screen, and identifying when cell connections are unencrypted and alerting people if there is a “potential false cellular base station” or IMSI catcher nearby that is logging a user’s phone.

_Updated 2:45 pm ET, May 15, 2024, to clarify that several new features will be included in updates that are separate from Android 15 itself, according to Google._

Android Update: Theft Detection Lock Knows When Your Phone Is Stolen

Apple Security Advisory 05-13-2024-8 - tvOS 17.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-8 tvOS 17.5

tvOS 17.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214102.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtmQACgkQX+5d1TXa  
IvpH5hAAtZjOJDsDvmKZhDYNv+q147EOgkWQL99zvmBReygAUqk+KoLQQkkfRLP7  
zTw53l3zvcH5Tar065NTIr/9jW3MDlZ9ipKU5pwy2R6tWRkh5zug6T7WINpcLybv  
6U39illkCn4EOyTZSoET/kkbuu/CQ6QUPC/CX5R/FtBmAmLNcImRjIgHqRjQKVhO  
9ACminYR+gUbsSqn5OfU0hwbvX2pXzqzE8LoOmhgpJyJIbyUUPHt5C6DYmJ79dlf  
Ui0rXKF+kwzqDrAPxph3XhCW0F+IvceREMLefUQXxvQ/0eDZhkCGwyw4/zezoXhg  
k/rAGQ7EEd27AqyDGyRoLpmFvIXafTp3OrePNPnyjE7j06syH4NnkwQoLerdrW9x  
KOCWQYJ9v03SfJpzGQOVA+aP2sHe4jSR4mtq7m7dax6qKjKrLWog7aqu6+pZZ4Ga  
9AXLEU7sQgNF8TWosVgpUmQEas8v3GQflUqjHvczPyPr4T8Br5VhiM8FYj9SWsPb  
mO/57/3kdsaU6DrD1C1mf5SAjFFi65ox78n8hdXOe1B02fvpDOXyz278XBuVMWE0  
CfhrwhXicP0itQp/KtgrnT+iUhkuPieNBiped/KHPfe9YXOfpjGrtcPQfximiYsD  
rGPnxm5tCJPobmTzRUdsu9TSInqUP291SOvkyX1DEQUkIszm6ao=  
=oc3g  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-8

Apple Security Advisory 05-13-2024-7 - watchOS 10.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-7 watchOS 10.5

watchOS 10.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214104.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtuoACgkQX+5d1TXa  
IvoryhAA0MH7dQ2spvGCOs9o90Ha8QfUwkzV6S+x/kjtb+4dVh+Myyyxcq3HfJP/  
71NRMcHvxM2nE7d23D9TSDdkKqEckR/vpgRMR9oPPy+bLnqccu7Rx02dIyOcW0AD  
sOI+puKn2oVSENiQte+Rs5RBBslrzG5G+Ezr2BVyk5jA4q8f2yD3vFlc+4K6u4Xf  
xcM0rgqLTQ1Pe4CiJepLZlm5/I4ub9jNHgYw37lrBg8ptBBOP722Mt+XeuHcE0tr  
SCvoVCDePnbHPNzofgsSlv0bv6CpfvOYKgRouWzb3wf+a9Cg/2fPN39nZtVt7V+l  
WqSJjgGB71QgwtRpmr/nWz3VKzSE9xdnu0H6BOrVAC9qYWn1Qz9S0bfTVhWJDCvk  
XyGhpoHrsKOR/PDjm8nCx7MzqeWxsG/yaYHileud3a9tAx1g63kDrwaPjpG4sNg1  
U5pvYLE942yOoImWyFkfcnf9UCGqwdYiNR8uFyfuPoBFhiCM85CjwD3tM2UG0H5Q  
xxU1iYNIHPeDd4q5DEaFqtC3nNraY3JGoAO5im7vNFv4JcoiMb8ObNTLDkNduThd  
q1uB74m37Pfqq/PT2xtnACHfWpvUpu/Gc0JcUuS+uMB1nUbvPQpNNJqx7WHwk3Q2  
r8OvMZ1Vw+4APbZ7B5Jnj4pkxSAifC2HQ7FqytCGzRzGqHOrF60=  
=+u2d  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-7

Apple Security Advisory 05-13-2024-6 - macOS Monterey 12.7.5 addresses an issue where a malicious application may be able to access Find My data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-6 macOS Monterey 12.7.5

macOS Monterey 12.7.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214105.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Find My  
Available for: macOS Monterey  
Impact: A malicious application may be able to access Find My data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23229: Joshua Jewett (@JoshJewett33)

Foundation  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27789: Mickey Jin (@patch1t)

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Monterey 12.7.5 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtZ4ACgkQX+5d1TXa  
IvqR2g//T7xisOQJEBugIuk4sXS7qt1O1wchiJC99EBhXK4ulCyEcBMIdGSPp3zJ  
QmtwU/0nB5zOd5DsSQh6N+Jj9Wb6bLauR8d4QhyrlemttMSYGHPC47WkF0HIYiLv  
IGL+A/Z+uulb22sRb3MZ8CNDZA2mUVtRZKRnBwBNO2yZEofWvM4KNIyQThR2z17c  
MvZuVBEo9NFMuEeXRLzCwmDfe344j9f3eQyY/5mnYLXQx60Lzg6BZxF1nCbN+mYc  
vGHDPs3744sTmcj8pBLBX6629O/9uLe/IgQX8QDA1aaW9G/x2njICxecVHA9QRti  
BPhbQfh9DWvUo3Wrmk/6kDb/d3kb/arx/HE3x4M+AbXlXA1G8GVOrFig6W9bgJRX  
e1I0ZQhXvPqBAles4XK14x6cXzXGNfPjbwVgAAHSqsiDqBSp7CUPM5i/6yPRz7AN  
uJG54euZ+02i8NErPXbe91kgHNidWQVnUMxDkle2QT3/Wo3mKcLfEGRJU89wiGw3  
dkoclqgKD8vUT+EUiPShOAa5/FUVR9F7PjGDrV91IKBtwC8VoLmSMcu4hIKhlIFW  
xWat/sFCLVz+8nmRKVgn+xoSwtYvAvbImI83QQsf4Q+GH0WsgHG1dRw3VRjXy3US  
lOnT6nKXFCvB3n139cgHLp3Q5ZoRf1xKVv5/EvOIP9jagB13QbU=  
=cPoJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-6

Apple Security Advisory 05-13-2024-5 - macOS Ventura 13.6.7 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-05-13-2024-5 macOS Ventura 13.6.7macOS Ventura 13.6.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT214107.Apple maintains a Security Releases page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.FoundationAvailable for: macOS VenturaImpact: An app may be able to access user-sensitive dataDescription: A logic issue was addressed with improved checks.CVE-2024-27789: Mickey Jin (@patch1t)Login WindowAvailable for: macOS VenturaImpact: An attacker with knowledge of a standard user's credentials canunlock another standard user's locked screen on the same MacDescription: A logic issue was addressed with improved state management.CVE-2023-42861: an anonymous researcher, 凯 王, Steven Maser, MatthewMcLean, Brandon Chesser, CPU IT, inc, and Avalon IT Team of ConcentrixRTKitAvailable for: macOS VenturaImpact: An attacker with arbitrary kernel read and write capability maybe able to bypass kernel memory protections. Apple is aware of a reportthat this issue may have been exploited.Description: A memory corruption issue was addressed with improvedvalidation.CVE-2024-23296Additional recognitionApp StoreWe would like to acknowledge an anonymous researcher for theirassistance.macOS Ventura 13.6.7 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtJoACgkQX+5d1TXaIvrg7hAAr/7mbBr3n+eJIP7aXfLdQWZb/NQLK7i87jk0RDCweCeWf2ZDGSjEXn3I0t8qS9bFjouQi3c6Zgu96zIbZ7QHS2KZ3w+41Cjzknb+wKoxb6UkbDe8gaay/QODBQH/GVcFjdEKLJCbnBBjatpf9PgBTkMJQ7UvXbfCUksowN6dUnTcRyxB8fPyFp7yZrKfGLe2mfO3E6kx+lcqThgiKsKuuZNju0A0d8wFyEkKqcQOPtg6PYiM4MTkI+GsckdB1sYy9dK219Gx3s9kj/RUmjBl/rNweC6s85ltqQgzhO0vZtwlcoThM7eMmCAHddjx3YMbh2iv2ypE44xv7XzGik5PjNhWHbVqA2dvFsTuA1K1ZYy04dKQ7i9A/LAcs1THVT29cIA4Xzj1lWBviVHjmFYZG2xkssKf1haqs9H0YB0coZGrNMKVwrW5HBf71oYCr49z/iypIpM4dc7bC7VTPe25Q/Ri5da1D7tTtElY33Vi0uPTqcSQgIwAEN+kYNEbJrH1itk/kyW0y44TRSlo477UyDWXaNZXh8N7ClU1svAl7qUnDstLIPve+watsvlr2/nLwUEvV/3wbja3D6X35M/lwEX8rDA1HVjlNKEDfhV76xRae6Tx36y/5hGDCb6b666e9vh7p7KcaFd54TX+gnH8swkENhVBLV+mZWfSq0fMPTs==xqZE-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-5

Apple Security Advisory 05-08-2024-1 - iTunes 12.13.2 for Windows addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-08-2024-1 iTunes 12.13.2 for Windows

iTunes 12.13.2 for Windows addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214099.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Windows 10 and later  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27793: Willy R. Vasquez of The University of Texas at Austin

iTunes 12.13.2 for Windows may be obtained from:  
https://www.apple.com/itunes/download/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmY78cYACgkQX+5d1TXa  
IvrzDBAAlfeS0odTgHy5AqrW8H47U7kDb6Mob0XW7RF/eii3C3M07a+zZ6fqXrws  
NrR85Az++0l0LICFINyG2uqNlJP831J3ib4MQLmCp0awX5UPLdZ1JZE5afu4GAZk  
t0rDDfUYuhVrArYC1BaSMm3OjiSD3CctLxHPY4PDsLbaeq/J7kSz03Lr42TyLuIU  
wO/c0hxiNSPrrq6vlSO2yCFzuISkB+HkJMPNFst6h7lpCAfimw2pHXhzGKAHUzAG  
ra2TEi4/Zpd5heDhC8rXbVYAgc9q5YCkPT5EDPa4aIYqZynICNugrY5Y0OSV05sp  
l8LuuEsTJY/Vmf4+1xx+ZI2E8LReP/QMCA0pPOGEJXT5PifdrEVIRvV7vAGClWk3  
C9t4FpcYBIt4e3AwSoaQoykdPRCB5mEL+D+gfycLvJBmbng+PnE2T+oQYd6IkVu4  
toYaJ+jo6fNmHHFueBT7ecsCG6kDyJyd1tDTLLxCaTDVPvJ10uk/k68FYbpTy1rY  
EzBbKGnaHKrr2DNFQPiqFnonaLRvUUJXlH5RtlrWVH9/cAXE8sIPfrrO+NPIAEG2  
WoCKA0jOYhR/SO5O4VLqAi0yTSzrvWp7Gp//ov9J0f2S28kUP0kdUGL/Z8Lsbro9  
un3U1C3pgDwcsGrYXpU+Ye/98gUjz5bEu2dMbT5u2fVwkbOQBVs=  
=NV/p  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-08-2024-1

Apple Security Advisory 05-13-2024-4 - macOS Sonoma 14.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-4 macOS Sonoma 14.5

macOS Sonoma 14.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214106.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: A local attacker may gain access to Keychain items  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-27837: Mickey Jin (@patch1t) and ajajfxhj

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to bypass certain Privacy preferences  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-27825: Kirin (@Pwnrin)

AppleVA  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27829: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations, and Pwn2car working with Trend Micro's Zero Day  
Initiative

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27841: an anonymous researcher

CFNetwork  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: A correctness issue was addressed with improved checks.  
CVE-2024-23236: Ron Masas of Imperva

Finder  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed through improved state management.  
CVE-2024-27827: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An attacker may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27818: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Libsystem  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A permissions issue was addressed by removing vulnerable  
code and adding additional checks.  
CVE-2023-42893: an anonymous researcher

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27822: Scott Johnson, Mykola Grymalyuk of RIPEDA Consulting,  
Jordy Witteman, and Carlos Polop

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27824: Pedro Tôrres (@t0rr3sp3dr0)

PrintCenter  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27813: an anonymous researcher

RemoteViewServices  
Available for: macOS Sonoma  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to elevate privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27843: Mickey Jin (@patch1t)

Shortcuts  
Available for: macOS Sonoma  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

StorageKit  
Available for: macOS Sonoma  
Impact: An attacker may be able to elevate privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2024-27798: Yann GASCUEL of Alter Solutions

Sync Services  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks  
CVE-2024-27847: Mickey Jin (@patch1t)

udf  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27842: CertiK SkyFall Team

Voice Control  
Available for: macOS Sonoma  
Impact: An attacker may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27796: ajajfxhj

WebKit  
Available for: macOS Sonoma  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Music  
We would like to acknowledge an anonymous researcher for their  
assistance.

PackageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Safari Downloads  
We would like to acknowledge Arsenii Kostromin (0x3c3e) for their  
assistance.

macOS Sonoma 14.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCs7MACgkQX+5d1TXa  
IvqKHhAApqwSNiF1fzn2XOuX2AH9sPVTbcdRTlWmD9lOfTnvinbn8J0oNSFoXxDS  
9NqJclCmrl4E/o9d1mUrV9ys1lAI/Hm0E3Hq2VmrEzd4umlDeRvGN2qFuqF+JnEc  
svHlZcAmGpN9eMvxwMin+PXqchqXItZeAwbE2UzD+xTxQftoe/SNSgIlTkncBsMO  
kKS3hlGcNH9fIJhvWY0f7NfX6XKmbxtK6+Glx652v0ayvNmtloBMer+lcy7VcNkL  
Na3bykhiALpwon07xGYmzCn6TsrLhsF4bwsXwdJAmKSJ3s/I8o2SITJtxmRMxv2I  
DXANRFtC+WaaVqmvOC22XcLuFDvKTH719AcdmxDwBLUQ4P1nQEvObp2OLskayhCp  
oEQPrgSWQerdwNse4Hv3JuQrxJWeKCgHTBbWPvfPL5DCX9u8xy/5QgJevrv8RX3g  
hOxqYtIdLKzGuJZWapgd0Cv+InrId5j0xcaUvGxA33lkTeYiOgXQIqjtvOJRNYqK  
2cS59vJkn3j+RwuVjVf27q802Jt1ET75eEMFVf0VJUvWWkGfOWpHvXs3qiUJYgqX  
TQcZIpZL1W4jpMjYtjqk9sf6thL2xb5eXv7BDBfiRIQJYUrTlyQKlIH9xbSH4wNA  
XyKKhjtfx9dsPI0wceBVBA5BCGrnlqNBtOr3+8OzcWFCe0qWOKc=  
=NXp8  
-----END PGP SIGNATURE-----

Tag

#apple