Apple has released security updates for its phones, iPads, Macs, watches and TVs.<\/p>\n
Updates are available for these products:<\/p>\n
The important vulnerabilities that have been addressed in this raft of updates are:<\/p>\n
CVE-2023-40423<\/a>, a critical vulnerability in IOTextEncryptionFamily that could allow an app to execute arbitrary code with kernel privileges. Arbitrary code execution means an attacker could run any commands or code of their choice on a target machine or in a target process. Kernel privileges means the attacker would have the highest level of access to all machine resources.<\/p>\n CVE-2023-40413<\/a>, a vulnerability in Find My that could allow another to read sensitive location information.<\/p>\n CVE-2023-40416<\/a>, a vulnerability in ImageIO which means processing an image could result in disclosure of process memory.<\/p>\n CVE-2023-42847<\/a>, a vulnerability in Passkeys could allow an attacker to access passkeys without authentication. A passkey is a way to sign in to an app or website account, without needing to create and remember a password.<\/p>\n CVE-2023-42841<\/a>, a vulnerability in Pro Res could allow an app to execute arbitrary code with kernel privileges.<\/p>\n CVE-2023-41982<\/a>, CVE-2023-41997<\/a>, and CVE-2023-41988<\/a> are a set of vulnerabilities in Siri that would allow an attacker with physical access to use Siri to access sensitive user data.<\/p>\n CVE-2023-40447<\/a> and CVE-2023-42852<\/a> are vulnerabilities in WebKit that could be used for arbitrary code execution. Visiting a specially crafted website could cause WebKit to perform operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.<\/p>\n CVE-2023-32434<\/a> is a vulnerability that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.<\/p>\n CVE-2023-41989<\/a> could allow an attacker to execute arbitrary code as root from the Lock Screen due to a vulnerability in Emoji. The issue was addressed by restricting options offered on a locked device. Root is the superuser account in many opeating systems. It is a user account for administrative purposes, and typically has the highest access rights on the system.<\/p>\n CVE-2023-38403<\/a> is a vulnerability in iperf3 before 3.14 that could allow peers to cause an integer overflow and heap corruption via a crafted length field. iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.<\/p>\n CVE-2023-42856<\/a> could be used to trigger unexpected app termination or arbitrary code execution due to a vulnerability in Model I\/O. Model I\/O provides the ability to access and manage 3D models.<\/p>\n CVE-2023-40404<\/a> could allow an app to execute arbitrary code with kernel privileges due to a vulnerability in Networking.<\/p>\n CVE-2023-41977<\/a> is a vulnerability in Safari that could allow a malicious website to reveal browsing history.<\/p>\n Notably absent from the bugs that have been fixed is iLeakage<\/a>, a sophisticated side-channel attack in the Spectre family.<\/p>\n The updates above may already have reached you, but it doesn’t hurt to check if your device is at the latest update level<\/a>. If a Safari update is available for your device, you can get it by updating or upgrading your iPhone or iPad<\/a> or your Mac<\/a>.<\/p>\n We don\u2019t just report on vulnerabilities\u2014we identify them, and prioritize action.<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management<\/a>.<\/p>\n
\n