APPLE-SA-10-25-2023-6 macOS Monterey 12.7.1

macOS Monterey 12.7.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213983.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

CoreAnimation
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider
Available for: macOS Monterey
Impact: An app may be able to cause a denial-of-service to Endpoint
Security clients
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My
Available for: macOS Monterey
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of caches.
CVE-2023-40413: Adam M.

Foundation
Available for: macOS Monterey
Impact: A website may be able to access sensitive user data when
resolving symlinks
Description: This issue was addressed with improved handling of
symlinks.
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO
Available for: macOS Monterey
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-40416: JZ

IOTextEncryptionFamily
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-40423: an anonymous researcher

Kernel
Available for: macOS Monterey
Impact: An attacker that has already achieved kernel code execution may
be able to bypass kernel memory mitigations
Description: The issue was addressed with improved memory handling.
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

Model I/O
Available for: macOS Monterey
Impact: Processing a file may lead to unexpected app termination or
arbitrary code execution
Description: The issue was addressed with improved memory handling.
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day
Initiative

Sandbox
Available for: macOS Monterey
Impact: An app with root privileges may be able to access private
information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-40425: Csaba Fitzl (@theevilbit) of Offensive Security

talagent
Available for: macOS Monterey
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

WindowServer
Available for: macOS Monterey
Impact: A website may be able to access the microphone without the
microphone use indicator being shown
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers
We would like to acknowledge an anonymous researcher for their
assistance.

libarchive
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project
Zero for their assistance.

macOS Monterey 12.7.1 may be obtained from the Mac App Store or
Apple’s Software Downloads web site:
https://support.apple.com/downloads/
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.