-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3307.2
APPLE-SA-2020-09-24-1 macOS Catalina 10.15.6 Supplemental Update, Security
       Update 2020-005 High Sierra, Security Update 2020-005 Mojave
                              6 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           macOS High Sierra
                   macOS Mojave
                   macOS Catalina
Publisher:         Apple
Operating System:  Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Reduced Security                -- Remote/Unauthenticated
                   Access Confidential Data        -- Unknown/Unspecified   
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9973 CVE-2020-9968 CVE-2020-9961
                   CVE-2020-9941  

Reference:         ESB-2020.3185
                   ESB-2020.3183
                   ESB-2020.3181

Original Bulletin: 
   https://support.apple.com/en-nz/HT211849

Revision History:  October    6 2020: Updated Title, Operating System and Product Tag
                   September 25 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-09-24-1 macOS Catalina 10.15.6 Supplemental Update,
Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave

macOS Catalina 10.15.6 Supplemental Update, Security Update 2020-005
High Sierra, Security Update 2020-005 Mojave are now available and
address the following:

ImageIO
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9961: Xingwei Lin of Ant Group Light-Year Security Lab

Mail
Available for: macOS High Sierra 10.13.6
Impact: A remote attacker may be able to unexpectedly alter
application state
Description: This issue was addressed with improved checks.
CVE-2020-9941: Fabian Ising of FH Münster University of Applied
Sciences and Damian Poddebniak of FH Münster University of Applied
Sciences

Model I/O
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9973: Aleksandar Nikolic of Cisco Talos

Sandbox
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15
Impact: A malicious application may be able to access restricted
files
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9968: Adam Chester(@xpn) of TrustedSec

Additional recognition

Bluetooth
We would like to acknowledge Andy Davis of NCC Group for their
assistance.

Installation note:

macOS Catalina 10.15.6 Supplemental Update, Security Update 2020-005
High Sierra, Security Update 2020-005 Mojave may be obtained from the
Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl9s7fcACgkQZcsbuWJ6
jjAZ5hAAmbPoniwcDPxhkcCfVYytZcJWsR8W06dU1HNlCUzNRSf/+/kHasSGfCDd
145dNIA9kkobG4O1Rt7wlx7KFh8LDi09Giv/n0JsF8jpdz1/fISuRDppa9MyyvMv
yxmkZ59P3+/517Ohv3xTgMre0D7amVs2K5Mfw7GZt9H6Qm5ShX0OidFNwddUhZmq
tt4xSVRF4sWk2BHOuetzGqXLkaM2mI1jX/H3hO4k1xkivZm5U6v9yeYfXrUNbyBY
aCwHdWryFKoKGxST14QX+x995xn/1oN7HV9o/6dbbPwFq7626tSRhySsTmFThHfc
CR+5RXET+/HvWwojjOPG8lNenimn3cVo+SoOZfoXWfhZej+Xim44+WYp1G/htl+W
LaCuCfQ59BsYSD/eR2TE5Bb98VWfTv+EAqto8gKed5QCBZ5uIOsf1AktdlwkTzsj
8ypsynf54NHABgR7XHAlKQOpIvR7yVWOIS7QCpTysJ19W69cDvn/noNH6HO1zsuM
2pzpoP4i0D66Q1ilPx9VkpPkY9+NHJZuwnhz8xZpXt6OQ7C4gIPkrT5Ft1LMDj26
AujmBOBCI5vMCC7+iHKu4wv4sjtshH0rB+xXom5FtLSUBWrL0NBP9yveO7XBlY2t
NhTRwcsnDO7J9zI4JRfM7baETx17TLznA9z308Z/3/aew+8aX6w=
=/4hQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3wMKONLKJtyKPYoAQib1A//XAlCIn91rRWbvFuR0jdNqRWKRkwYcaR9
crwY89kWFrVenw/s+1ujbkM8iG/xeJIAg0FZZ+NRdhIhMFht7ubhLHOxq38TXk+p
kgew0hkZwgOg/xwGt1Tk/2ZwomA+kaIEqG3Ps11Zv/xUGDxQ8WYfSOrLl/K2Jt9r
iyrzIQDSu2gSFM3hMfrLuXwufNypm2fws4x3pIAfiXX4+SnrO9N8WDDYFN3SDv4P
LTkGzTtzWCl5o+PJbaBLV7Poh9cS+e3326TmaCR5GSmEiUTGF13GQHNGiyJtMAak
AJg+RGf1Yzbb0uIo9ChBNIRoF9m6yYM9AsvRFtt9QKstxoB56fgOIu7AROFwmy5K
h02FzP+yx78EDcLjplL8AxRAtIc7EILkewzuLMbtNqErePpaKgY/NgsUUOLVPhlc
/MDFNEm1Cx0iQV6CzZnHiKp1mgIeTVj7Ej11Nqkmc4nK0MTUo1w3N9Nq9Z42QJbu
AwmqUmEgkoEQEv0az7Ec+9GLfNFIh2GuB8wpMNVJtAAgFqKlIDNZh9MpyWjXCz7O
r1HGgfputamupjQoZmaBCI59d111a/y7eOBrUa/547Xnl4/RnivLUfy019Ybvcpe
XwrSYQWZDC9Fo5j/Ko5PEtq2w4HB+M5YygqQ1ZERF8fFaqYSoQA5yqfHE60XSEgR
45u+v9eEuyo=
=l/HQ
-----END PGP SIGNATURE-----