Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities (CVE-2023-28205, CVE-2023-28206) in macOS, iOS and iPadOS.
Affected Systems
- macOS Monterey 12.7
- macOS Ventura 13.6:
- watchOS 9.6.3
- watchOS 10.0.1:
- iOS 16.7 and iPadOS 16.7
- iOS 17.0.1 and iPadOS 17.0.1
- Safari 16.6.1
Apple emitted patches this week to close security holes that have been exploited in the wild by commercial spyware.
The bugs are:
- CVE-2023-41991: According to Apple, "a malicious app may be able to bypass signature validation," and was fixed by correcting "a certificate validation issue."
- CVE-2023-41992: This is a kernel-level privilege escalation hole that was fixed "with improved checks." This can be abused by rogue applications and users to gain the necessary privileges to take full control of a device.
- CVE-2023-41993: Apple said "processing web content may lead to arbitrary code execution," which again was addressed "with improved checks." A maliciously crafted webpage could exploit this when someone browses that page on a vulnerable device. We could see these bugs being chained together: a webpage could inject code that elevates its privileges to kernel level to take over a system, for instance.
Each bug, according to Apple, "may have been actively exploited against versions of iOS before iOS 16.7." However, due to the way the iGiant's various products share various bits of the same code, it's not just iPhones and iOS that are vulnerable: other Apple gear is affected and ought to be patched so that further exploitation is prevented.
Solution
Apply workarounds at
- https://support.apple.com/en-us/HT213932
- https://support.apple.com/kb/HT213931
- https://support.apple.com/kb/HT213929
- https://support.apple.com/kb/HT213928
- https://support.apple.com/kb/HT213927
- https://support.apple.com/kb/HT213926
- https://support.apple.com/kb/HT213930
Original Advisory
Apple Support
https://support.apple.com/
NOTE : The information is provide is on “as is “ basis, without assurance of any kind.