Known Exploited Vulnerability - Apple Releases Multiple Emergency Security Patches - 20230922001¶
Overview¶
Apple has released multiple emergency security updates to patch new zero-day vulnerabilities which reports of in the wild exploitation targeting iPhone and Mac users.
These vullnerabilities were found in the WebKit browser engine, the Security framework, and the Kernel Framework.
What is the vulnerability?¶
- CVE-2023-41991 - CVSS v3 Base Score: TBA: A certificate validation issue may allow a malicious app to bypass signature validation.
- CVE-2023-41992 - CVSS v3 Base Score: TBA: A local attacker may be able to elevate their privileges.
- CVE-2023-41993 - CVSS v3 Base Score: TBA: Processing web content may lead to arbitrary code execution.
What is vulnerable?¶
The vulnerability exists in the following products:
| Fixed OS Version | Affected Devices |
|---|---|
| Safari 16.6.1 | macOS Big Sur and Monterey |
| iOS 17.0.1 and iPadOS 17.0.1 | iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later |
| iOS 16.7 and iPadOS 16.7 | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later |
| watchOS 10.0.1 | Apple Watch Series 4 and later |
| macOS Ventura 13.6 | macOS Ventura |
| macOS Monterey 12.7 | macOS Monterey |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 Hours... (refer Patch Management):