Operating System:

[MAC]

Published:

16 November 2020

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2020.4062 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4062
        APPLE-SA-2020-11-13-2 Security Update 2020-006 High Sierra,
                      Security Update 2020-006 Mojave
                             16 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           macOS High Sierra 10.13.6
                   macOS Mojave 10.14.6
Publisher:         Apple
Operating System:  Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Root Compromise                 -- Unknown/Unspecified         
                   Access Privileged Data          -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27950 CVE-2020-27932 CVE-2020-27930

Reference:         ESB-2020.3917
                   ESB-2020.3909

Original Bulletin: 
   https://support.apple.com/en-us/HT211946

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-11-13-2 Security Update 2020-006 High Sierra, Security
Update 2020-006 Mojave

Security Update 2020-006 High Sierra, Security Update 2020-006
Mojave addresses the following issues. Information about the security
content is also available at https://support.apple.com/HT211946.

FontParser
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: Processing a maliciously crafted font may lead to arbitrary
code execution. Apple is aware of reports that an exploit for this
issue exists in the wild.
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-27930: Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges. Apple is aware of reports that an exploit for
this issue exists in the wild.
Description: A type confusion issue was addressed with improved state
handling.
CVE-2020-27932: Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6
Impact: A malicious application may be able to disclose kernel
memory. Apple is aware of reports that an exploit for this issue
exists in the wild.
Description: A memory initialization issue was addressed.
CVE-2020-27950: Google Project Zero

Installation note:

Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave
may be obtained from the Mac App Store or Apple's Software Downloads
web site: https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+ux1sACgkQZcsbuWJ6
jjCLQg/7By2IOJn8Ks7hXOPA2P7+dQoBpfnnl2cDP761lLEsSmFtzFjNZsQgwz1Q
q7Vt5DbByRgHceBbKs0o++1IEzWIxLu4Wz5n7bASYuhFLxxQ5D/pc5nnFZjjCirU
PbjRhRAmDmmS39Q1g2e1+w+TIZPlER21Hn8zVBTmmoKqrnR/MTvcTp09OjiNPocB
POIxTA6Ahn/Pc7YqzdmSh+/Uho9GQIHvxHSXxKz+TyL0ulhFYwWIjPt/O+EjObsw
NtVSkdh1t3Wj91VyWA+JOzNTOxTabKVXJsrIhmjO7ynIAmgf534GKX6SB7IDchSC
kVFvo11jEuUdl7hR0YNHyPqWrV5xN/dbzo1miztW2kZcvpEttCx5EJ4PmLaK+XTZ
9PTHCV2fPC55jsE1E4lDp/AgQUKuFrNPjjj2HjWuRo/nnd91XVlm/8KcHrdeJUyR
HLwK0Jd+pAW62/rhlZkz+59zLIk49ySaSz425KawCImP9f2bhVwDCfv0+vHcHaS4
ocgzW+nr5Yfiyk+SCnexN3l37WoeXxQVqxKoGhcw5E+ZrxpOOqOLoXDJEQADOl4v
9EEkNv1TE3BKG72Q6Ktsqo1oeFVnByYrk3yzONC7BT1HG9As81HW2bKIPpkV5fvY
NbO7VvmJfIPLIpFXzcmF8TtDUt3puy/Ri4dgJJi5/i1wRtct+Cc=
=6mA0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7H2h+NLKJtyKPYoAQgy4Q/+Jp8hKOuRlwyCYXrdFQXOsGf14wtEYZ1V
EieF80MlqI+M1aGfeSzGHDizF6nOEm1Wql/9Qt99pmP5Jp9QRgqNFMzxBBx1wwpJ
hk5dvToy+G6T+sVhCdRkhwbTIGZ6Xyi93oOwsXjIEPFj9vw/ziH/XxgTzSYyTR1y
cByMJCIU89kPxvg5q9sGZItEfJA7qeqqE4i1c0gG7JMbKDBxkd1AS26hn55wAFgx
9661IB4cOljQP089iknCOqfEGUZsgU+QikU/u236uydYsqp3qDksGAJytd+S5Vvo
p/xNWPExGppBp3W5vHuKLftXM7z8i4wfeAnlS4lJBd+ZeHiA39MnZQA5oLIEKupu
uzqvGcihL36pRFY55cOceDSIWwEWhN+AkdLQdN5UaouhvciM5YBp1kAJsU7HpM/a
cdykMioGgu7Ph2Cti8LtLdRAv8d0hRhSf2lDbiCQXcCh55w8ONf+NRNKamZVwzWF
0FltFZXoCeAyXWzP6QrdWGhnqENfAIBNX4L78iz7gh4QLmyg0ZHZYLLZSR9CFEyK
kRFbjoFEB8IWbKLEz4dWr7vf4tH4Fp2gxPz6QLLrLcxhZkqkC1ig2EHvrJ79mghz
UaT8n550wMLGueOmFQN1ElC3HLQJAHUJntQw/47iUBQwtQMqSNsvjOAU+YpeEZCf
ReWajCQusbw=
=9OiJ
-----END PGP SIGNATURE-----