My next class:

Apple Patches Everything

Published: 2023-12-11. Last Updated: 2023-12-11 19:14:53 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple today released updates for iOS, macOS, tvOS and watchOS. This updates 43 vulnerabilities. Two of the vulnerabilities are already being exploited. Last week, these two vulnerabilities received patches for current versions of iOS and macOS. This new update covers older iOS and macOS versions as well.

iOS 17.2 and iPadOS 17.2 iOS 16.7.3 and iPadOS 16.7.3 macOS Sonoma 14.2 macOS Ventura 13.6.3 macOS Monterey 12.7.2 tvOS 17.2 watchOS 10.2
CVE-2023-42919 [moderate] Accounts
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access sensitive user data
x x x x x   x
CVE-2023-42884 [important] AVEVideoEncoder
This issue was addressed with improved redaction of sensitive information.
An app may be able to disclose kernel memory
x x x x   x  
CVE-2023-42927 [moderate] ExtensionKit
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access sensitive user data
x   x       x
CVE-2023-42922 [important] Find My
This issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information
x x x x x    
CVE-2023-42898 [critical] ImageIO
The issue was addressed with improved memory handling.
Processing an image may lead to arbitrary code execution
x   x     x x
CVE-2023-42899 [critical] ImageIO
The issue was addressed with improved memory handling.
Processing an image may lead to arbitrary code execution
x x x x x x x
CVE-2023-42914 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to break out of its sandbox
x x x x x x x
CVE-2023-42923 [moderate] Safari Private Browsing

Private Browsing tabs may be accessed without authentication
x            
CVE-2023-42897 [moderate] Siri
The issue was addressed with improved checks.
An attacker with physical access may be able to use Siri to access sensitive user data
x            
CVE-2023-42890 [critical] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
x   x     x x
CVE-2023-42883 [moderate] WebKit
The issue was addressed with improved memory handling.
Processing an image may lead to a denial-of-service
x x x     x x
CVE-2023-42917 [critical] WebKit
A memory corruption vulnerability was addressed with improved locking.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
  x       x x
CVE-2023-42916 [moderate] WebKit
An out-of-bounds read was addressed with improved input validation.
Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
  x       x x
CVE-2023-42874 [moderate] Accessibility
This issue was addressed with improved state management.
Secure text fields may be displayed via the Accessibility Keyboard when using a physical keyboard
    x        
CVE-2023-42894 [moderate] AppleEvents
This issue was addressed with improved redaction of sensitive information.
An app may be able to access information about a user's contacts
    x x x    
CVE-2023-42901 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42902 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42912 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42903 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42904 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42905 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42906 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42907 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42908 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42909 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42910 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42911 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42926 [moderate] AppleGraphicsControl
Multiple memory corruption issues were addressed with improved input validation.
Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
    x        
CVE-2023-42882 [critical] AppleVA
The issue was addressed with improved memory handling.
Processing an image may lead to arbitrary code execution
    x        
CVE-2023-42924 [moderate] Archive Utility
A logic issue was addressed with improved checks.
An app may be able to access sensitive user data
    x x      
CVE-2023-45866 [moderate] Bluetooth
The issue was addressed with improved checks.
An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard
    x        
CVE-2023-42900 [important] CoreMedia Playback
The issue was addressed with improved checks.
An app may be able to access user-sensitive data
    x        
CVE-2023-42886 [moderate] CoreServices
An out-of-bounds read was addressed with improved bounds checking.
A user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2023-42891 [moderate] IOKit
An authentication issue was addressed with improved state management.
An app may be able to monitor keystrokes without user permission
    x x x    
CVE-2020-19185 [critical] ncurses
This issue was addressed with improved checks.
A remote user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2020-19186 [critical] ncurses
This issue was addressed with improved checks.
A remote user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2020-19187 [critical] ncurses
This issue was addressed with improved checks.
A remote user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2020-19188 [critical] ncurses
This issue was addressed with improved checks.
A remote user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2020-19189 [critical] ncurses
This issue was addressed with improved checks.
A remote user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2020-19190 [critical] ncurses
This issue was addressed with improved checks.
A remote user may be able to cause unexpected app termination or arbitrary code execution
    x x x    
CVE-2023-42842 [moderate] SharedFileList
The issue was addressed with improved checks.
An app may be able to access sensitive user data
    x        
CVE-2023-42932 [moderate] TCC
A logic issue was addressed with improved checks.
An app may be able to access protected user data
    x x x    
CVE-2023-5344 [moderate] Vim

Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution
    x x x    

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)
My next class:

Comments


Diary Archives