Min (Spark) Zheng

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.14.6 Security Update versions prior to 2019-004 High Sierra Security Update versions prior to 2019-004 Sierra iOS versions prior to 12.4 tvOS versions prior to 12.4 **Description** A local user may be able to read a persistent account identifier. This issue was addressed with a new entitlement. **Recommendations** For macOS versions prior to 10.14.6, update to macOS Mojave 10.14.6. For Security Update versions prior to 2019-004 High Sierra, apply Security Update 2019-004. For Security Update versions prior to 2019-004 Sierra, apply Security Update 2019-004 Sierra. For iOS versions prior to 12.4, update to iOS 12.4. For tvOS versions prior to 12.4, update to tvOS 12.4.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 12.1 **Description** A device configuration issue was addressed with an updated configuration. This issue allows a device to be passively tracked by its Bluetooth MAC address. **Recommendations** For versions prior to 12.1, update to macOS Monterey 12.1 to resolve the issue. As a temporary workaround, consider restricting Bluetooth connectivity to minimize the risk of passive tracking.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 11.1 macOS Big Sur version 11.0.1 Security Update versions prior to 2020-001 Catalina Security Update versions prior to 2020-007 Mojave **Description** An out-of-bounds write issue was addressed with improved bounds checking, allowing an application to potentially execute arbitrary code with kernel privileges. **Recommendations** For macOS versions prior to 11.1, update to macOS Big Sur 11.1 or later. For macOS Big Sur version 11.0.1, update to macOS Big Sur 11.1 or later. For Security Update versions prior to 2020-001 Catalina, apply Security Update 2020-001 Catalina or later. For Security Update versions prior to 2020-007 Mojave, apply Security Update 2020-007 Mojave or later.

**Name of the Vulnerable Software and Affected Versions** Apple macOS versions prior to 11.1 Apple macOS versions prior to Security Update 2020-001 Catalina Apple macOS versions prior to Security Update 2020-007 Mojave Apple macOS version 11.0.1 **Description** An out-of-bounds write issue was addressed with improved bounds checking, allowing an application to potentially execute arbitrary code with kernel privileges. **Recommendations** For macOS Big Sur, update to version 11.1 or later. For macOS Catalina, apply Security Update 2020-001 or later. For macOS Mojave, apply Security Update 2020-007 or later. For macOS Big Sur 11.0.1, update to a newer version that includes the security fix.

**Name of the Vulnerable Software and Affected Versions** macOS Catalina versions prior to 10.15.4 macOS Mojave versions prior to Security Update 2020-002 macOS High Sierra versions prior to Security Update 2020-002 **Description** A use after free issue was addressed with improved memory management, which may allow an application to gain elevated privileges. **Recommendations** For macOS Catalina versions prior to 10.15.4, update to macOS Catalina 10.15.4 or later. For macOS Mojave versions prior to Security Update 2020-002, apply Security Update 2020-002 or later. For macOS High Sierra versions prior to Security Update 2020-002, apply Security Update 2020-002 or later.

**Name of the Vulnerable Software and Affected Versions** watchOS versions prior to 5.2 iOS versions prior to 12.2 **Description** A permissions issue was addressed by removing vulnerable code and adding additional checks. A malicious application may be able to access restricted files. **Recommendations** For watchOS versions prior to 5.2, update to watchOS 5.2 to resolve the issue. For iOS versions prior to 12.2, update to iOS 12.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.6 iPadOS versions prior to 13.6 tvOS versions prior to 13.4.8 watchOS versions prior to 6.2.8 **Description** An authorization issue was addressed with improved state management. A malicious application may be able to read sensitive location information. **Recommendations** For iOS versions prior to 13.6, update to iOS 13.6 or later. For iPadOS versions prior to 13.6, update to iPadOS 13.6 or later. For tvOS versions prior to 13.4.8, update to tvOS 13.4.8 or later. For watchOS versions prior to 6.2.8, update to watchOS 6.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.3.1 iPadOS versions prior to 13.3.1 **Description** A memory corruption issue was addressed with improved memory handling, allowing an application to potentially execute arbitrary code with kernel privileges. **Recommendations** For iOS versions prior to 13.3.1, update to iOS 13.3.1 to resolve the issue. For iPadOS versions prior to 13.3.1, update to iPadOS 13.3.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12 macOS versions prior to 10.14 tvOS versions prior to 12 **Description** A validation issue existed in the entitlement verification, which has been addressed with improved validation of the process entitlement. **Recommendations** For iOS versions prior to 12, update to iOS 12 or later to resolve the issue. For macOS versions prior to 10.14, update to macOS 10.14 or later to resolve the issue. For tvOS versions prior to 12, update to tvOS 12 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.13.4 **Description** The issue involves the `IOFireWireFamily` component and allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. **Recommendations** For macOS versions prior to 10.13.4, update to version 10.13.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.13 **Description** The issue involves the IOFireWireFamily component and allows attackers to bypass intended memory-read restrictions via a crafted app. **Recommendations** For macOS versions prior to 10.13, update to version 10.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.12.6 **Description** The issue involves the `Bluetooth` component and allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. This is caused by a buffer overflow in memory. **Recommendations** For macOS versions prior to 10.12.6, update to version 10.12.6 or later to resolve the issue. As a temporary workaround, consider disabling the `Bluetooth` component until a patch is available.