Update now! Apple patches a raft of vulnerabilities

Apple has released security updates for its phones, iPads, Macs, watches and TVs.

Updates are available for these products:

  • iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later get iOS 17.1 or iPadOS 17.1.
  • iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later get iOS 16.7.2 or iPadOS 16.7.2.
  • iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) get iOS 15.8 or iPadOS 15.8.
  • Macs get one of macOS Sonoma 14.1macOS Ventura 13.6.1macOS Monterey 12.7.1, and Safari 17.1.
  • Apple TV HD and Apple TV 4K (all models) get tvOS 17.1.
  • Apple Watch Series 4 and later get watchOS 10.1.

The important vulnerabilities that have been addressed in this raft of updates are:

CVE-2023-40423, a critical vulnerability in IOTextEncryptionFamily that could allow an app to execute arbitrary code with kernel privileges. Arbitrary code execution means an attacker could run any commands or code of their choice on a target machine or in a target process. Kernel privileges means the attacker would have the highest level of access to all machine resources.

CVE-2023-40413, a vulnerability in Find My that could allow another to read sensitive location information.

CVE-2023-40416, a vulnerability in ImageIO which means processing an image could result in disclosure of process memory.

CVE-2023-42847, a vulnerability in Passkeys could allow an attacker to access passkeys without authentication. A passkey is a way to sign in to an app or website account, without needing to create and remember a password.

CVE-2023-42841, a vulnerability in Pro Res could allow an app to execute arbitrary code with kernel privileges.

CVE-2023-41982CVE-2023-41997, and CVE-2023-41988 are a set of vulnerabilities in Siri that would allow an attacker with physical access to use Siri to access sensitive user data.

CVE-2023-40447 and CVE-2023-42852 are vulnerabilities in WebKit that could be used for arbitrary code execution. Visiting a specially crafted website could cause WebKit to perform operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2023-32434 is a vulnerability that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

CVE-2023-41989 could allow an attacker to execute arbitrary code as root from the Lock Screen due to a vulnerability in Emoji. The issue was addressed by restricting options offered on a locked device. Root is the superuser account in many opeating systems. It is a user account for administrative purposes, and typically has the highest access rights on the system.

CVE-2023-38403 is a vulnerability in iperf3 before 3.14 that could allow peers to cause an integer overflow and heap corruption via a crafted length field. iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

CVE-2023-42856 could be used to trigger unexpected app termination or arbitrary code execution due to a vulnerability in Model I/O. Model I/O provides the ability to access and manage 3D models.

CVE-2023-40404 could allow an app to execute arbitrary code with kernel privileges due to a vulnerability in Networking.

CVE-2023-41977 is a vulnerability in Safari that could allow a malicious website to reveal browsing history.

Notably absent from the bugs that have been fixed is iLeakage, a sophisticated side-channel attack in the Spectre family.

The updates above may already have reached you, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading your iPhone or iPad or your Mac.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.