On Dec. 11, Apple launched patches for dozens of vulnerabilities affecting iPhones, Macs, Apple TVs, Apple Watches, and its Safari browser.
The lengthy checklist consists of 39 vulnerabilities fastened for macOS Sonoma model 14.2.
Amongst them are CVE-2023-42914, a kernel difficulty with the potential to permit apps to interrupt out of their sandboxes; CVE-2023-42894, an AppleEvents difficulty that opens the door for apps to entry a person’s contacts with out authorization; and two CVEs particular to Safari Webkit — an arbitrary code execution bug, CVE-2023-42890; and a denial-of service bug, CVE-2023-42883.
Monday’s updates additionally included a dozen new fixes in iOS and iPadOS 17.2, eight of which apply equally to model 16.7.3.
They embody CVE-2023-42922, which can have allowed apps to learn delicate location data through FindMy; CVE-2023-42923, enabling unauthenticated entry to personal looking tabs; and CVE-2023-42897, found by a pupil on the College of Texas, by which an attacker with bodily entry to a tool might have been capable of reap the benefits of Siri to acquire delicate person knowledge.
Notable CVEs in Apple Watch, Bluetooth
Two Webkit vulnerabilities which had beforehand been patched on iPhones, iPads, and Macbooks have, as of Dec. 11, been patched for Apple Watches as nicely. CVE-2023-42916, assigned a 6.5 “Medium” CVSS rating, and CVE-2023-42917 — 8.8 “Excessive” — each “permit attackers to entry delicate data by means of out-of-bounds reads and execute distant code execution (RCE) through reminiscence corruption by means of malicious webpages,” explains Mike Walters, president and co-founder of Action1.
Apple famous that these vulnerabilities have been reported to have been exploited in variations of iOS previous to 16.7.1. “Given the researcher’s earlier work,” Walters says of the Google TAG analyst answerable for their discovery, “it means that they’re associated to adware or an APT. Nevertheless, as standard, the seller will not disclose this data.”
One other line merchandise that made latest headlines is CVE-2023-45866, an authentication bypass vulnerability affecting macOS and iOS, in addition to Linux and Android.
First reported to the distributors again in early August, and made public as of final week, this CVE solely impacts Apple units when Bluetooth is on they usually’re paired with a Magic Keyboard. In such instances, although, an attacker on a Linux pc with a normal Bluetooth adapter can inject keystrokes on a focused gadget, performing any actions the sufferer may, in lieu of any authentication boundaries.
RedHat assigned CVE-2023-45866 a 7.1 CVSS rating, qualifying it as “Excessive” severity.
In a GitHub ReadME, the researcher answerable for the invention lamented persistent safety points affecting Bluetooth units. “I am actually unsure what kind of wi-fi keyboard to suggest at this level,” he wrote. “If you’re studying this and also you make a safe wi-fi keyboard, please ship me one so I can hack it for you.”