AppleKeyStore
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: A memory corruption issue was addressed with improved validation.
CVE-2019-6235: Brandon Azad
Bluetooth
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-6200: an anonymous researcher
Core Media
Impact: A malicious application may be able to elevate privileges
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2019-6202: Fluoroacetate working with Trend Micro’s Zero Day Initiative
CVE-2019-6221: Fluoroacetate working with Trend Micro’s Zero Day Initiative
CoreAnimation
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2019-6231: Zhuo Liang of Qihoo 360 Nirvan Team
CoreAnimation
Impact: A malicious application may be able to break out of its sandbox
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2019-6230: Proteas, Shrek_wzw and Zhuo Liang of Qihoo 360 Nirvan Team
FaceTime
Impact: A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2019-6224: Natalie Silvanovich of Google Project Zero
IOKit
Impact: A malicious application may be able to break out of its sandbox
Description: A type confusion issue was addressed with improved memory handling.
CVE-2019-6214: Ian Beer of Google Project Zero
Kernel
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2019-6225: Brandon Azad of Google Project Zero, Qixun Zhao of Qihoo 360 Vulcan Team
Kernel
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-6210: Ned Williamson of Google
Kernel
Impact: A malicious application may cause unexpected changes in memory shared between processes
Description: A memory corruption issue was addressed with improved lock state checking.
CVE-2019-6205: Ian Beer of Google Project Zero
Kernel
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-6213: Ian Beer of Google Project Zero
Kernel
Impact: A malicious application may be able to determine kernel memory layout
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.
CVE-2019-6209: Brandon Azad of Google Project Zero
Kernel
Impact: A malicious application may cause unexpected changes in memory shared between processes
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2019-6208: Jann Horn of Google Project Zero
Keyboard
Impact: Password autofill may fill in passwords after they were manually cleared
Description: An issue existed with autofill resuming after it was canceled. The issue was addressed with improved state management.
CVE-2019-6206: Sergey Pershenkov
libxpc
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-6218: Ian Beer of Google Project Zero
Natural Language Processing
Impact: Processing a maliciously crafted message may lead to a denial of service
Description: A denial of service issue was addressed with improved validation.
CVE-2019-6219: Authier Thomas
Safari Reader
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation.
CVE-2019-6228: Ryan Pickren (ryanpickren.com)
SQLite
Impact: A maliciously crafted SQL query may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2018-20346: Tencent Blade Team
CVE-2018-20505: Tencent Blade Team
CVE-2018-20506: Tencent Blade Team
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-6227: Qixun Zhao of Qihoo 360 Vulcan Team
CVE-2019-6233: G. Geshev from MWR Labs working with Trend Micro’s Zero Day Initiative
CVE-2019-6234: G. Geshev from MWR Labs working with Trend Micro’s Zero Day Initiative
WebKit
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved validation.
CVE-2019-6229: Ryan Pickren (ryanpickren.com)
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2019-6215: Lokihardt of Google Project Zero
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6212: an anonymous researcher, an anonymous researcher
CVE-2019-6216: Fluoroacetate working with Trend Micro’s Zero Day Initiative
CVE-2019-6217: Fluoroacetate working with Trend Micro’s Zero Day Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan Team
CVE-2019-6226: Apple
WebRTC
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-6211: Georgi Geshev (@munmap), Fabi Beterke (@pwnfl4k3s), and Rob Miller (@trotmaster99) of MWR Labs (@mwrlabs) working with Trend Micro’s Zero Day Initiative
