-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2023-03-27-3 macOS Ventura 13.3

macOS Ventura 13.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213670.

AMD
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2023-27968: ABC Research s.r.o.

Apple Neural Engine
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
CVE-2023-23532: Mohamed Ghannam (@_simo36)

AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch1t)

AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable
code.
CVE-2023-27931: Mickey Jin (@patch1t)

Archive Utility
Available for: macOS Ventura
Impact: An archive may be able to bypass Gatekeeper
Description: The issue was addressed with improved checks.
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl
(@theevilbit) of Offensive Security

Calendar
Available for: macOS Ventura
Impact: Importing a maliciously crafted calendar invitation may
exfiltrate user information
Description: Multiple validation issues were addressed with improved
input sanitization.
CVE-2023-27961: Rıza Sabuncu - twitter.com/rizasabuncu

Camera
Available for: macOS Ventura
Impact: A sandboxed app may be able to determine which app is
currently using the camera
Description: The issue was addressed with additional restrictions on
the observability of app states.
CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

Carbon Core
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2023-23534: Mickey Jin (@patch1t)

ColorSync
Available for: macOS Ventura
Impact: An app may be able to read arbitrary files
Description: The issue was addressed with improved checks.
CVE-2023-27955: JeongOhKyea

CommCenter
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2023-27936: Tingting Yin of Tsinghua University

CoreCapture
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-28181: Tingting Yin of Tsinghua University

curl
Available for: macOS Ventura
Impact: Multiple issues in curl
Description: Multiple issues were addressed by updating curl.
CVE-2022-43551
CVE-2022-43552

dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: A memory initialization issue was addressed.
CVE-2023-27934: Aleksandar Nikolic of Cisco Talos

dcerpc
Available for: macOS Ventura
Impact: A user in a privileged network position may be able to cause
a denial-of-service
Description: A denial-of-service issue was addressed with improved
memory handling.
CVE-2023-28180: Aleksandar Nikolic of Cisco Talos

dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: The issue was addressed with improved bounds checks.
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc
Available for: macOS Ventura
Impact: A remote user may be able to cause unexpected system
termination or corrupt kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Display
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2023-27965: Proteas of Pangu Lab

FaceTime
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed by moving sensitive data
to a more secure location.
CVE-2023-28190: Joshua Jones

Find My
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23537: an anonymous researcher

FontParser
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang of Baidu Security

Foundation
Available for: macOS Ventura
Impact: Parsing a maliciously crafted plist may lead to an unexpected
app termination or arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2023-27937: an anonymous researcher

iCloud
Available for: macOS Ventura
Impact: A file from an iCloud shared-by-me folder may be able to
bypass Gatekeeper
Description: This was addressed with additional checks by Gatekeeper
on files downloaded from an iCloud shared-by-me folder.
CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

Identity Services
Available for: macOS Ventura
Impact: An app may be able to access information about a user’s
contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki

ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz
Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected
app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected
app termination or arbitrary code execution
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google
Project Zero
CVE-2023-27969: Adam Doupé of ASU SEFCOM

Kernel
Available for: macOS Ventura
Impact: An app with root privileges may be able to execute arbitrary
code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-27933: sqrtpwn

Kernel
Available for: macOS Ventura
Impact: An app may be able to disclose kernel memory
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2023-27941: Arsenii Kostromin (0x3c3e)

Kernel
Available for: macOS Ventura
Impact: An app may be able to disclose kernel memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2023-28200: Arsenii Kostromin (0x3c3e)

LaunchServices
Available for: macOS Ventura
Impact: Files downloaded from the internet may not have the
quarantine flag applied
Description: This issue was addressed with improved checks.
CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk,
and Arthur Valiev

LaunchServices
Available for: macOS Ventura
Impact: An app may be able to gain root privileges
Description: This issue was addressed with improved checks.
CVE-2023-23525: Mickey Jin (@patch1t)

Model I/O
Available for: macOS Ventura
Impact: Processing a maliciously crafted file may lead to unexpected
app termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2023-27949: Mickey Jin (@patch1t)

NetworkExtension
Available for: macOS Ventura
Impact: A user in a privileged network position may be able to spoof
a VPN server that is configured with EAP-only authentication on a
device
Description: The issue was addressed with improved authentication.
CVE-2023-28182: Zhuowei Zhang

PackageKit
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file
system
Description: A logic issue was addressed with improved checks.
CVE-2023-23538: Mickey Jin (@patch1t)
CVE-2023-27962: Mickey Jin (@patch1t)

Photos
Available for: macOS Ventura
Impact: Photos belonging to the Hidden Photos Album could be viewed
without authentication through Visual Lookup
Description: A logic issue was addressed with improved restrictions.
CVE-2023-23523: developStorm

Podcasts
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-27942: Mickey Jin (@patch1t)

Safari
Available for: macOS Ventura
Impact: An app may bypass Gatekeeper checks
Description: A race condition was addressed with improved locking.
CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security

Sandbox
Available for: macOS Ventura
Impact: An app may be able to modify protected parts of the file
system
Description: A logic issue was addressed with improved checks.
CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI
Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

Sandbox
Available for: macOS Ventura
Impact: An app may be able to bypass Privacy preferences
Description: A logic issue was addressed with improved validation.
CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

Shortcuts
Available for: macOS Ventura
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions
checks.
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and
Wenchao Li and Xiaolong Bai of Alibaba Group

System Settings
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23542: an anonymous researcher

System Settings
Available for: macOS Ventura
Impact: An app may be able to read sensitive location information
Description: A permissions issue was addressed with improved
validation.
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

TCC
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable
code.
CVE-2023-27931: Mickey Jin (@patch1t)

Vim
Available for: macOS Ventura
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating to Vim
version 9.0.1191.
CVE-2023-0049
CVE-2023-0051
CVE-2023-0054
CVE-2023-0288
CVE-2023-0433
CVE-2023-0512

WebKit
Available for: macOS Ventura
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: This issue was addressed with improved state management.
CVE-2023-27932: an anonymous researcher

WebKit
Available for: macOS Ventura
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
CVE-2023-27954: an anonymous researcher

XPC
Available for: macOS Ventura
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with a new entitlement.
CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock
We would like to acknowledge Christian Mina for their assistance.

AppleScript
We would like to acknowledge Mickey Jin (@patch1t) for their
assistance.

CFNetwork
We would like to acknowledge an anonymous researcher for their
assistance.

Control Center
We would like to acknowledge an anonymous researcher for their
assistance.

CoreServices
We would like to acknowledge Mickey Jin (@patch1t) for their
assistance.

dcerpc
We would like to acknowledge Aleksandar Nikolic of Cisco Talos for
their assistance.

FaceTime
We would like to acknowledge Sajan Karki for their assistance.

file_cmds
We would like to acknowledge Lukas Zronek for their assistance.

Git
We would like to acknowledge for their assistance.

Heimdal
We would like to acknowledge Evgeny Legerov of Intevydis for their
assistance.

ImageIO
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their
assistance.

Mail
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster
University of Applied Sciences, Damian Poddebniak of FH Münster
University of Applied Sciences, Tobias Kappert of Münster University
of Applied Sciences, Christoph Saatjohann of Münster University of
Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz
Center for Information Security for their assistance.

NSOpenPanel
We would like to acknowledge Alexandre Colucci (@timacfr) for their
assistance.

quarantine
We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc.
for their assistance.

Safari Downloads
We would like to acknowledge Andrew Gonzalez for their assistance.

WebKit
We would like to acknowledge an anonymous researcher for their
assistance.

WebKit Web Inspector
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer
(@pwning_me) of SSD Labs for their assistance.

Wi-Fi
We would like to acknowledge an anonymous researcher for their
assistance.

macOS Ventura 13.3 may be obtained from the Mac App Store or Apple's
Software Downloads web site: https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke
NxlDUw/8COhSvqsTrIJtGhMmZJ83+R9pZPGZIhY0eOZbFp+yCFBRYE9IIzv785uM
LQ+2ZsBqCtsMp3ZDhYFvEvigGPnCpfnZrd/JBsPXz7O6HfSG2whOIHtSu+LAvOxk
OwACJZru6PqmTh4br7QRDHt41E4fP4KZPpAdM7Wbiu6Ikg2h71kp+9CMdliVr7o1
+B1yVUqnihsB1IDs2grNhmuVGWG1bP7fgAON0zQa4HkvqU9p4XlDeohnZ2V9y+3n
J8C7agCkos+7aKDrbv72sJ3T5sBe1dozca5pEYZyh0zGhxP8Q6c0zwhiatRY0hKw
I6yeFPBQ94ez+qTCj2YU/9Nz0tFQja3UBJw9zyIJr5A/ZiporZCwe8HUp5n3bGAm
JZlSM6aNdVjgbrGBjwpHSE2kSv3WpBe8EZhMA1iCbGIxwGWdz23L/Hrnqs7TFqzm
kXV0bHIjbO6jNPhm0V+QqZbDCC88H54ovrLuojgW2L562n+vLDb4u3VE5yfAJ9Zk
KZCqNPXm0kkSimjF5JExGBTDFpt92XY3cMYItxSCtSnebL+5OmbY90C2OnAjAIwJ
qGiD/AEPRgcuJpfMvtydLo0eau5hptR4nqFY1oHEpbWCHfDycz0zhvZaTUHyVIv5
m1X8VhzBgXwKUzjkz7lBLl9R9pebBLU90KXLOJsF8j3bOUS6ddU=
=7+Lt
-----END PGP SIGNATURE-----