hands in surgical gloves stitching an apple

Update now! Apple fixes several serious vulnerabilities

Apple has released security updates for several products to address several serious vulnerabilities  including some actively exploited zero-days. Updates are available for these products:

 Safari 16.6

 macOS Big Sur and macOS Monterey

 iOS 16.6 and iPadOS 16.6

 iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

 iOS 15.7.8 and iPadOS 15.7.8 

 iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

 macOS Ventura 13.5

 macOS Ventura

 macOS Monterey 12.6.8

 macOS Monterey

 macOS Big Sur 11.7.9

 macOS Big Sur

 tvOS 16.6

 Apple TV 4K (all models) and Apple TV HD

 watchOS 9.6

 Apple Watch Series 4 and later

 

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Some of the notable CVEs patched in these updates are:

CVE-2023-38606: A vulnerability in the kernel that may allow an app to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. The exploitation of this vulnerability took place as part of a 0-click exploit chain used to install spyware. These exploitation methods are named like that because they require no user interaction to compromise a device.

CVE-2023-32409: a vulnerability in the WebKit. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. A patch for this vulnerability was issued in May for iOS 16 and iPadOS 16, but is now also available for iOS 15.7.8 and iPadOS 15.7.8.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

CVE-2023-37450: Another WebKit vulnerability where processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This vulnerability has been covered by a Rapid Security Response (RSR) earlier because Apple was aware of a report that this issue may have been actively exploited.

CVE-2023-32416: a vulnerability in the Find My app which could allow another app to read sensitive location information. This issue was addressed with improved restrictions.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.