About the security content of macOS Monterey 12.0.1

About the security content of macOS Monterey 12.0.1

About the security content of macOS Monterey 12.0.1

This document describes the security content of macOS Monterey 12.0.1.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

macOS Monterey 12.0.1

Released October 25, 2021

AppKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2021-30873: Thijs Alkemade of Computest

AppleScript

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30876: Jeremy Brown, hjy79425575

CVE-2021-30879: Jeremy Brown, hjy79425575

CVE-2021-30877: Jeremy Brown

CVE-2021-30880: Jeremy Brown

App Store

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to access local users' Apple IDs

Description: An access issue was addressed with improved access restrictions.

CVE-2021-30994: Sergii Kryvoblotskyi of MacPaw Inc.

Entry added May 25, 2022

Audio

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to elevate privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2021-30907: Zweig of Kunlun Lab

Bluetooth

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2021-30899: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

Bluetooth

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to disclose kernel memory

Description: A logic issue was addressed with improved validation.

CVE-2021-30931: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

Entry added November 18, 2021

bootp

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A device may be passively tracked by its WiFi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2021-30866: Fabien Duchêne of UCLouvain (Belgium)

Entry added November 18, 2021

ColorSync

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.

CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero

Continuity Camera

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An uncontrolled format string issue was addressed with improved input validation.

CVE-2021-30903: an anonymous researcher

Entry updated May 25, 2022

CoreAudio

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30905: Mickey Jin (@patch1t) of Trend Micro

CoreGraphics

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2021-30919

Directory Utility

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to access local users' Apple IDs

Description: A logic issue was addressed with improved state management.

CVE-2020-9846: Wojciech Reguła (@_r3ggi)

Entry added March 31, 2022

FileProvider

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

Description: An input validation issue was addressed with improved memory handling.

CVE-2021-30881: Simon Huang (@HuangShaomang) and pjf of IceSword Lab of Qihoo 360

File System

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2021-30923: Pan ZhenPeng (@Peterpan0927) of Alibaba Security

Entry added November 18, 2021

FontParser

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-30831: Xingwei Lin of Ant Security Light-Year Lab

Entry added November 18, 2021

FontParser

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted dfont file may lead to arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2021-30840: Xingwei Lin of Ant Security Light-Year Lab

Entry added November 18, 2021

Foundation

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2021-30852: Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab

Entry added November 18, 2021

Game Center

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to access information about a user's contacts

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30895: Denis Tokarev

Game Center

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to read user's gameplay data

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30896: Denis Tokarev

Graphics Drivers

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2021-30933: Jack Dates of RET2 Systems, Inc.

Entry added March 31, 2022

iCloud

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A local attacker may be able to elevate their privileges

Description: This issue was addressed with improved checks.

CVE-2021-30906: Cees Elzinga

iCloud Photo Library

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to access photo metadata without needing permission to access photos

Description: The issue was addressed with improved authentication.

CVE-2021-30867: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added November 18, 2021

ImageIO

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2021-30814: hjy79425575

Entry added November 18, 2021

Intel Graphics Driver

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2021-30922: Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1)

Entry added March 31, 2022

Intel Graphics Driver

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2021-30824: Antonio Zekic (@antoniozekic) of Diverto

Intel Graphics Driver

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.

CVE-2021-30901: Zuozhi Fan (@pattern_F_) of Ant Security TianQiong Lab, Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab, Jack Dates of RET2 Systems, Inc.

IOGraphics

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30821: Tim Michaud (@TimGMichaud) of Zoom Video Communications

IOMobileFrameBuffer

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30883: an anonymous researcher

Kernel

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A remote attacker can cause a device to unexpectedly restart

Description: A denial of service issue was addressed with improved state handling.

CVE-2021-30924: Elaman Iskakov (@darling_x0r) of Effective and Alexey Katkov (@watman27)

Entry added November 18, 2021

Kernel

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30886: @0xalsr

Kernel

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30909: Zweig of Kunlun Lab

Kernel

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30916: Zweig of Kunlun Lab

LaunchServices

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved state management.

CVE-2021-30864: Ron Hass (@ronhass7) of Perception Point

Login Window

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A person with access to a host Mac may be able to bypass the Login Window in Remote Desktop for a locked instance of macOS

Description: A logic issue was addressed with improved checks.

CVE-2021-30813: Benjamin Berger of BBetterTech LLC, Peter Goedtkindt of Informatique-MTF S.A., an anonymous researcher

Entry updated May 25, 2022

Managed Configuration

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A user in a privileged network position may be able to leak sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2021-31011: Michal Moravec of Logicworks, s.r.o.

Entry added September 16, 2022

Messages

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A user's messages may continue to sync after the user has signed out of iMessage

Description: A sync issue was addressed with improved state validation.

CVE-2021-30904: Reed Meseck of IBM

Entry added November 18, 2021

Model I/O

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30910: Mickey Jin (@patch1t) of Trend Micro

Model I/O

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30911: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

NetworkExtension

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A VPN configuration may be installed by an app without user permission

Description: An authorization issue was addressed with improved state management.

CVE-2021-30874: Javier Vieira Boccardo (linkedin.com/javier-vieira-boccardo)

Entry added November 18, 2021

Sandbox

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to modify protected parts of the file system

Description: This issue was addressed with improved checks.

CVE-2021-30808: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added November 18, 2021

Sandbox

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A local attacker may be able to read sensitive information

Description: A permissions issue was addressed with improved validation.

CVE-2021-30920: Csaba Fitzl (@theevilbit) of Offensive Security

Security

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with improved locking.

CVE-2021-31004: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added March 31, 2022

SMB

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-31002: Peter Nguyễn Vũ Hoàng of STAR Labs

Entry added September 16, 2022

SMB

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved locking.

CVE-2021-30868: Peter Nguyen Vu Hoang of STAR Labs

SoftwareUpdate

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may gain access to a user's Keychain items

Description: The issue was addressed with improved permissions logic.

CVE-2021-30912: Kirin (@Pwnrin) and chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab

SoftwareUpdate

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An unprivileged application may be able to edit NVRAM variables

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30913: Kirin (@Pwnrin) and chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab

Entry updated May 25, 2022

UIKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A person with physical access to a device may be determine characteristics of a user's password in a secure text entry field

Description: A logic issue was addressed with improved state management.

CVE-2021-30915: Kostas Angelopoulos

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Turning off "Block all remote content" may not apply to all remote content types

Description: A logic issue was addressed with improved state management.

CVE-2021-31005: Jonathan Austin of Wells Fargo, Attila Soki

Entry added March 31, 2022

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2021-31008

Entry added March 31, 2022

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious website may exfiltrate data cross-origin

Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented.

CVE-2021-30897: an anonymous researcher

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Visiting a maliciously crafted website may reveal a user's browsing history

Description: The issue was resolved with additional restrictions on CSS compositing.

CVE-2021-30884: an anonymous researcher

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved state handling.

CVE-2021-30818: Amar Menezes (@amarekano) of Zon8Research

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing a maliciously crafted audio file may disclose restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-30836: Peter Nguyen Vu Hoang of STAR Labs

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30846: Sergei Glazunov of Google Project Zero

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2021-30849: Sergei Glazunov of Google Project Zero

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2021-30848: Sergei Glazunov of Google Project Zero

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2021-30851: Samuel Groß of Google Project Zero

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30809: an anonymous researcher

Entry added November 18, 2021

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An attacker in a privileged network position may be able to bypass HSTS

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30823: David Gullasch of Recurity Labs

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy

Description: A logic issue was addressed with improved restrictions.

CVE-2021-30887: Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd.

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior 

Description: An information leakage issue was addressed.

CVE-2021-30888: Prakash (@1lastBr3ath)

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30889: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved state management.

CVE-2021-30861: Wojciech Reguła (@_r3ggi), Ryan Pickren (ryanpickren.com)

WebKit

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2021-30890: an anonymous researcher

WebRTC

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: An attacker may be able to track users through their IP address

Description: A logic issue was addressed with improved state management.

CVE-2021-30930: Oguz Kırat, Matthias Keller (m-keller.com)

Entry added November 18, 2021, updated September 16, 2022

Windows Server

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen

Description: An authentication issue was addressed with improved state management.

CVE-2021-30908: ASentientBot

xar

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files

Description: This issue was addressed with improved checks.

CVE-2021-30833: Richard Warren of NCC Group

zsh

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to modify protected parts of the file system

Description: An inherited permissions issue was addressed with additional restrictions.

CVE-2021-30892: Jonathan Bar Or of Microsoft

Additional recognition

APFS

We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance.

AppleScript

We would like to acknowledge Jeremy Brown for their assistance.

Entry added March 31, 2022

App Support

We would like to acknowledge an anonymous researcher, 漂亮鼠 of 赛博回忆录 for their assistance.

Bluetooth

We would like to acknowledge say2 of ENKI for their assistance.

bootp

We would like to acknowledge Alexander Burke (alexburke.ca) for their assistance.

Entry added March 31, 2022

CUPS

We would like to acknowledge Nathan Nye of WhiteBeam Security for their assistance.

Entry updated March 31, 2022

iCloud

We would like to acknowledge Ryan Pickren (ryanpickren.com) for their assistance.

Kernel

We would like to acknowledge Anthony Steinhauser of Google's Safeside project, and Joshua Baums of Informatik Baums for their assistance.

Entry updated November 18, 2021

Mail

We would like to acknowledge Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences for their assistance.

Managed Configuration

We would like to acknowledge Michal Moravec of Logicworks, s.r.o. for their assistance.

Setup Assistant

We would like to acknowledge David Schütz (@xdavidhu) for their assistance.

Entry added November 18, 2021

smbx

We would like to acknowledge Zhongcheng Li (CK01) for their assistance.

UIKit

We would like to acknowledge Jason Rendel of Diligent for their assistance.

Entry added November 18, 2021

WebKit

We would like to acknowledge Ivan Fratric of Google Project Zero, Pavel Gromadchuk, Nikhil Mittal (@c0d3G33k), and Matthias Keller (m-keller.com) for their assistance.

    • Related Articles

    • About the security content of macOS Big Sur 11.0.1

      This document describes the security content of macOS Big Sur 11.0.1. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases ...
    • Security features for MacBook Pro

      Security features for MacBook Pro Your MacBook Pro with Apple silicon provides security features to protect what’s on your computer and prevent unauthorized software apps from loading during startup: Secure startup: Support for secure startup is ...
    • Update macOS on Mac

      Update macOS on Mac Use Software Update to install updates and upgrades for macOS and its built-in apps, including Safari. Use Software Update Before installing new software, it's a good idea to back up your Mac. To check for new software, open ...
    • Identify your MacBook Pro model

      Identify your MacBook Pro model Use this information to find out which MacBook Pro you have, and where it fits in the history of MacBook Pro. Your Mac provides several tools to help you identify it. The simplest is About This Mac, available by ...
    • Transfer your data to your new MacBook Pro

      It’s easy to copy your files and settings wirelessly from another Mac or PC to your MacBook Pro. You can transfer information to your MacBook Pro from an existing computer or from a Time Machine backup on a USB storage device. You might need to ...