Executive Summary
On December 11, Apple released security updates to address multiple vulnerabilities in iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser. These updates also include patches for two recently disclosed zero-day vulnerabilities affecting older devices.
One notable flaw that has been addressed is CVE-2023-45866, a critical security issue in Bluetooth. This vulnerability could potentially allow an attacker to inject keystrokes by spoofing a keyboard.
Additionally, this update includes a significant fix for Safari. It addresses two WebKit flaws, namely CVE-2023-42890 and CVE-2023-42883. These vulnerabilities could lead to arbitrary code execution and a denial-of-service condition.
Furthermore, the update introduces Contact Key Verification for iOS and iPadOS, which enhances the privacy of iMessage conversations.
Apple Releases on Dec 11
Please see below the list of software with security fixes that Apple released on December 11th:
Released S/W | Available for |
Safari 17.2 | macOS Monterey and macOS Ventura |
iOS 17.2 and iPadOS 17.2 | iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later |
iOS 16.7.3 and iPadOS 16.7.3 | iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation |
macOS Sonoma 14.2 | macOS Sonoma |
macOS Ventura 13.6.3 | macOS Ventura |
macOS Monterey 12.7.2 | macOS Monterey |
tvOS 17.2 | Apple TV HD and Apple TV 4K (all models) |
watchOS 10.2 | Apple Watch Series 4 and later |
Apple users who are using affected software should update their software as soon as possible.
Key Vulnerabilities Addressed
- CVE-2023-45866: This critical security issue affects Bluetooth and could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. It has a CVSS score of 8.8.
- CVE-2023-42890 and CVE-2023-42883: These WebKit flaws in Safari can lead to arbitrary code execution and a denial-of-service condition. Both vulnerabilities have a CVSS score of 8.8.
Exploited Vulnerabilities Addressed for Older Devices
Apple has released iOS 16.7.3 and iPadOS 16.7.3 to address vulnerabilities in older devices that were actively exploited in the wild.
These vulnerabilities are:
- CVE-2023-42916 with a CVSS score of 6.5 involves an out-of-bounds read issue in the WebKit web browser engine.
- CVE-2023-42917 with a CVSS score of 8.8, is a memory corruption bug in WebKit, enabling attackers to execute arbitrary code when processing web content.
For more information about these vulnerabilities, please refer to our recent news article. Furthermore, these vulnerabilities have been patched in iOS and iPadOS 17.1.2, as well as in tvOS 17.2 and watchOS 10.2.
- [CVSS 9+] Urgent Security Advisories for Cisco Products
- Cyberattack Exposes Swiss Tax Administration Data
- [CVSS 9+] Microsoft Oct 23 Patch Tuesday Highlights
- False Skype, Zoom, and Google Meet Distribute Remote Trojans
- [CVSS 9+] Security Alert: Citrix Bleed Exploit
- What We Have Learned from MOVEit Attacks