Apple has released fixes for several security flaws that affect its iPhones, iPads, macOS computers, and Apple TV and watches, and warned that some of these bugs have already been exploited.
Here's a quick list of all of the security updates released late on Monday afternoon:
On Tuesday the US government's Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm, too, warning that "an attacker could exploit some of these vulnerabilities to take control of an affected device." CISA urged users and admins to apply the software updates, and check automatic patching systems are working properly. We second that opinion.
One of the bugs, CVE-2023-32409, in Apple's WebKit browser engine affects iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). This one was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab.
"A remote attacker may be able to break out of Web Content sandbox," according to the iGiant's advisory. "Apple is aware of a report that this issue may have been actively exploited."
Apple says it has fixed the issue by improving bounds checks. And although the tech giant never provides details about how the vulnerability was abused, or by whom, the bug hunters who spotted the software nasty would seem to indicate that it's being used to deploy spyware onto victims' devices.
TAG tracks more than 30 commercial spyware makers that sell exploits and surveillance software. Journalists, activists, and political dissidents tend to be targeted by snoopware, which Amnesty takes a keen interest in scrutinizing.
In this same batch of security updates, Apple said it fixed a kernel-level bug, CVE-2023-38606, for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
"An app may be able to modify sensitive kernel state," the iPhone maker warned. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1."
Apple credits Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy KucherinLeonid Bezvershenko, and Boris Larin with finding this bug, which looks like another kernel vulnerability uncovered by this same team that was used to infect iPhones with TriangleDB spyware.
This same kernel bug, CVE-2023-38606, affects several other Apple products, and there are now patches for macOS Ventura, macOS Monterey, macOS Big Sur, Apple Watch Series 4 and later, Apple TV 4K (all models), and Apple TV HD.
Another vulnerability in WebKit in tvOS 16, watchOS 9.6, macOS Ventura, iOS 16 and iPadOS 16, tracked as CVE-2023-37450, also may have been exploited before the company pushed patches, we're told. The flaw discovered by an anonymous researcher, occurs when processing web content, which may lead to arbitrary code execution. Patches are available for all Apple TV 4K models, Apple TV HD, and Apple Watch Series 4 and later, and other devices.
Previously, Apple fixed this same issue in some iPhones and iPads via a "rapid security response" in iOS 16.5.1 (c) and iPadOS 16.5.1 (c). These are the new type of patches that Apple began rolling out in May, with mixed results.
The patches are supposed to be downloaded and applied automatically to immediately protect devices from exploitation, thus avoiding the usual system update cycle that users may put off or miss, and thus leave their kit vulnerable. ®
Source: The register