Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 8+] Apple Releases Critical Security Updates

Executive Summary

On December 11, Apple released security updates to address multiple vulnerabilities in iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser. These updates also include patches for two recently disclosed zero-day vulnerabilities affecting older devices.

One notable flaw that has been addressed is CVE-2023-45866, a critical security issue in Bluetooth. This vulnerability could potentially allow an attacker to inject keystrokes by spoofing a keyboard.

Additionally, this update includes a significant fix for Safari. It addresses two WebKit flaws, namely CVE-2023-42890 and CVE-2023-42883. These vulnerabilities could lead to arbitrary code execution and a denial-of-service condition.

Furthermore, the update introduces Contact Key Verification for iOS and iPadOS, which enhances the privacy of iMessage conversations.

Apple Releases on Dec 11

Please see below the list of software with security fixes that Apple released on December 11th:

Released S/WAvailable for
Safari 17.2macOS Monterey and macOS Ventura
iOS 17.2 and iPadOS 17.2iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
iOS 16.7.3 and iPadOS 16.7.3iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
macOS Sonoma 14.2macOS Sonoma
macOS Ventura 13.6.3macOS Ventura
macOS Monterey 12.7.2macOS Monterey
tvOS 17.2Apple TV HD and Apple TV 4K (all models)
watchOS 10.2Apple Watch Series 4 and later

Apple users who are using affected software should update their software as soon as possible.

Key Vulnerabilities Addressed
  • CVE-2023-45866: This critical security issue affects Bluetooth and could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. It has a CVSS score of 8.8.
  • CVE-2023-42890 and CVE-2023-42883: These WebKit flaws in Safari can lead to arbitrary code execution and a denial-of-service condition. Both vulnerabilities have a CVSS score of 8.8.
Exploited Vulnerabilities Addressed for Older Devices

Apple has released iOS 16.7.3 and iPadOS 16.7.3 to address vulnerabilities in older devices that were actively exploited in the wild.

These vulnerabilities are:

  • CVE-2023-42916 with a CVSS score of 6.5 involves an out-of-bounds read issue in the WebKit web browser engine.
  • CVE-2023-42917 with a CVSS score of 8.8, is a memory corruption bug in WebKit, enabling attackers to execute arbitrary code when processing web content.

For more information about these vulnerabilities, please refer to our recent news article. Furthermore, these vulnerabilities have been patched in iOS and iPadOS 17.1.2, as well as in tvOS 17.2 and watchOS 10.2.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.