Apple Releases Security Updates for Multiple Products - 20231213003

Overview

Apple has released security updates for Safari, iOS and iPadOS, Sonoma, Ventura, and Monterey to address multiple vulnerabilities. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

What is the vulnerability?

• WebKit Processing web content vulnerability CVE-2023-42890 - CVSS v3 Base Score: N/A
• WebKit Processing an image vulnerability CVE-2023-42883 - CVSS v3 Base Score: N/A
• Accessibility - Secure text fields may be displayed via the Accessibility Keyboard when using a physical keyboard vulnerability CVE-2023-42874 - CVSS v3 Base Score: N/A
• Accounts - An app may be able to access sensitive user data vulnerability CVE-2023-42919 - CVSS v3 Base Score: N/A
• AppleEvents - An app may be able to access information about a user's contacts CVE-2023-42894 - CVSS v3 Base Score: N/A
• AppleGraphicsControl - Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution CVE-2023-42926 - CVSS v3 Base Score: N/A
• AppleVA - Processing an image may lead to arbitrary code execution CVE-2023-42882 - CVSS v3 Base Score: N/A
• AppleVA - Processing a file may lead to unexpected app termination or arbitrary code execution CVE-2023-42881 - CVSS v3 Base Score: N/A
• Archive Utility - An app may be able to access sensitive user data CVE-2023-42924 - CVSS v3 Base Score: N/A
• AVEVideoEncoder - An app may be able to disclose kernel memory CVE-2023-42924 - CVSS v3 Base Score: N/A
• Bluetooth - An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard CVE-2023-45866 - CVSS v3 Base Score: N/A
• CoreMedia Playback - An app may be able to access user-sensitive data CVE-2023-42900 - CVSS v3 Base Score: N/A
• CoreServices - A user may be able to cause unexpected app termination or arbitrary code execution CVE-2023-42886 - CVSS v3 Base Score: N/A
• ExtensionKit - An app may be able to access sensitive user data CVE-2023-42927 - CVSS v3 Base Score: N/A
• Find My - An app may be able to read sensitive location information CVE-2023-42922 - CVSS v3 Base Score: N/A
• ImageIO - Processing an image may lead to arbitrary code execution CVE-2023-42898 - CVSS v3 Base Score: N/A CVE-2023-42899 - CVSS v3 Base Score: N/A
• IOKit - An app may be able to monitor keystrokes without user permission CVE-2023-42891 - CVSS v3 Base Score: N/A
• Kernel - An app may be able to break out of its sandbox CVE-2023-42914 - CVSS v3 Base Score: N/A
• ncurses - A remote user may be able to cause unexpected app termination or arbitrary code execution CVE-2023-19190 - CVSS v3 Base Score: N/A
• SharedFileList - An app may be able to access sensitive user data CVE-2023-42842 - CVSS v3 Base Score: N/A
• TCC - An app may be able to access protected user data CVE-2023-42932 - CVSS v3 Base Score: N/A
• Vim - Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution CVE-2023-5344 - CVSS v3 Base Score: N/A
• Safari Private Browsing - Private Browsing tabs may be accessed without authentication CVE-2023-42923 - CVSS v3 Base Score: N/A
• Siri - An attacker with physical access may be able to use Siri to access sensitive user data CVE-2023-42897 - CVSS v3 Base Score: N/A

What is vulnerable?

The vulnerability affects the following products:

• Safari 17.2

• iOS 17.2 and iPadOS 17.2

• iOS 16.7.3 and iPadOS 16.7.3

• macOS Sonoma 14.2

• macOS Ventura 13.6.3

• macOS Monterey 12.7.2

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):

• Apple Security Releases
• CISA