-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-12-11-2024-8 visionOS 2.2

visionOS 2.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121845.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Crash Reporter
Available for: Apple Vision Pro
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2024-54513: an anonymous researcher

FontParser
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2024-54486: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative

ImageIO
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted image may result in disclosure
of process memory
Description: The issue was addressed with improved checks.
CVE-2024-54500: Junsung Lee working with Trend Micro Zero Day Initiative

Kernel
Available for: Apple Vision Pro
Impact: An app may be able to cause unexpected system termination or
corrupt kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2024-44245: an anonymous researcher

Kernel
Available for: Apple Vision Pro
Impact: An attacker may be able to create a read-only memory mapping
that can be written to
Description: A race condition was addressed with additional validation.
CVE-2024-54494: sohybbyk

libexpat
Available for: Apple Vision Pro
Impact: A remote attacker may cause an unexpected app termination or
arbitrary code execution
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-45490

Passwords
Available for: Apple Vision Pro
Impact: An attacker in a privileged network position may be able to
alter network traffic
Description: This issue was addressed by using HTTPS when sending
information over the network.
CVE-2024-54492: Talal Haj Bakry and Tommy Mysk of Mysk Inc. (@mysk_co)

SceneKit
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted file may lead to a denial of
service
Description: The issue was addressed with improved checks.
CVE-2024-54501: Michael DePlante (@izobashi) of Trend Micro's Zero Day
Initiative

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 278497
CVE-2024-54479: Seunghyun Lee
WebKit Bugzilla: 281912
CVE-2024-54502: Brendon Tiszka of Google Project Zero

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 282180
CVE-2024-54508: linjy of HKUS3Lab and chluo of WHUSecLab, Xiangwei Zhang
of Tencent Security YUNDING LAB

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to memory
corruption
Description: A type confusion issue was addressed with improved memory
handling.
WebKit Bugzilla: 282661
CVE-2024-54505: Gary Kwong

WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to memory
corruption
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 277967
CVE-2024-54534: Tashita Software Security

Additional recognition

FaceTime Foundation
We would like to acknowledge Joshua Pellecchia for their assistance.

Photos
We would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup
for their assistance.

Proximity
We would like to acknowledge Junming C. (@Chapoly1305) and Prof. Qiang
Zeng of George Mason University for their assistance.

Safari Private Browsing
We would like to acknowledge Richard Hyunho Im (@richeeta) with Route
Zero Security for their assistance.

Swift
We would like to acknowledge Marc Schoenefeld, Dr. rer. nat. for their
assistance.

WebKit
We would like to acknowledge Hafiizh for their assistance.

Instructions on how to update visionOS are available at
https://support.apple.com/118481. To check the software version
on your Apple Vision Pro, open the Settings app and choose General >
About.

All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmdaBL0ACgkQX+5d1TXa
IvpztRAAlcqwUwZ2X1NKKAtTfcRPplYivevy2kxV7bvqWV/wOvxX4z0FONE+Pmeg
9JhMh3tng7n78tm/YP/hnZZZO97n+A8kQcwfgZuYNgt1qK0d8T+x1yZELIR3DGbW
6lTti2KvbBBeZwJ8H0A0Sq4doeNZ9dIaddbsZmPzFcXAafdPmrYSr4mnm4Y3O9gx
2droOZDdSvBIKMJ7uAE2gB0TpF3p2XhaEdzo/SzS416V3JluFq7ph3IQgzviIPwc
+p1qM4GHdWIG7PvibordcwTGkrMDY1i1Avco3m5+qQBRPYzobmcoL6jO7VjuooP0
+r5CyjXuZXs7KKbsXw2HhTwbadaxiBnqtc+xhitNU++2CXRKUwukMBN24OK+J5mb
j2bEFTpvV9s9KtuhbWT1QPWK7sOg2WjNmYfJzu8Thk/HVMQqYTcDRRUvU3l/ATqs
cLd0OJ37koj7swtpuCMwyMU01cwb5LSi40oTZ6feFm5K2gfhCnUzHHrG98jgf5+M
nWLqJLZqU6rEWrmrX8tmPZiuemR92kdvMczuewBBh9cfd19R9Na1gpMHlJa5OPcq
uYfbrS3o78l15NbO4xCTPRHi8nafkJ6DHzPTHrU1BDbxfBRDeNCHFdybo8peiIvq
OE6r8a+3dBj6EiP7IWGKmd8N9uL+JnNG3VHRbwwa1BNDccaFTEo=
=XQJI
-----END PGP SIGNATURE-----