On Monday, Apple unveiled a series of security updates across its platforms, including iOS, iPadOS, macOS, tvOS, watchOS, and Safari, aimed at rectifying numerous vulnerabilities while also backporting critical fixes for two recently identified zero-day flaws affecting older devices.
The updates address 12 significant security vulnerabilities in iOS and iPadOS. These span various components including AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. Additionally, the newly released macOS Sonoma 14.2 remedies 39 distinct security shortcomings, among them six issues related to the ncurses library.
Among the most critical vulnerabilities is CVE-2023-45866, a Bluetooth vulnerability that may permit an attacker situated within a trusted network to inject keystrokes by impersonating a legitimate keyboard. This flaw was brought to light by SkySafe researcher Marc Newlin last week and has been patched in the latest versions of iOS, iPadOS, and macOS through enhanced validation measures, according to Apple.
In coordination with these updates, Apple has also issued Safari 17.2, featuring fixes for two WebKit vulnerabilities: CVE-2023-42890 and CVE-2023-42883. These flaws could potentially facilitate arbitrary code execution and lead to a denial-of-service condition. This update is available for Macs operating on macOS Monterey and macOS Ventura.
The updates for iOS 17.2 and iPadOS 17.2 also address a Siri-related vulnerability that could enable unauthorized access to sensitive user data for those with physical access to the device. Additionally, the latest releases include an enhanced security feature known as Contact Key Verification. This feature fortifies the privacy of iMessage conversations, allowing users to authenticate the identities of their contacts.
Apple described the functionality of iMessage Contact Key Verification in a technical blog post from October 2023, stating, “This feature represents a substantial advancement in Key Transparency deployments, ensuring that user devices independently verify consistency across all accounts.” These improvements aim to mitigate risks associated with key directory breaches and enhance the integrity of transparency services.
Alongside these releases, Apple has also launched iOS 16.7.3 and iPadOS 16.7.3, addressing as many as eight security vulnerabilities, two of which are tied to WebKit flaws, CVE-2023-42916 and CVE-2023-42917. These vulnerabilities were noted by Apple as being actively exploited in the wild earlier this month. Both vulnerabilities have also been addressed in tvOS 17.2 and watchOS 10.2.
While detailed information regarding the operational tactics and origins of the threats involved in these vulnerabilities remains scant, the risks associated with these exploits necessitate immediate attention from organizations relying on Apple’s ecosystem. The tactics potentially used could include initial access and privilege escalation, as defined in the MITRE ATT&CK framework, signaling the importance of robust cybersecurity measures in light of these threats.
