On Dec. 11, Apple released patches for dozens of vulnerabilities affecting iPhones, Macs, Apple TVs, Apple Watches, and its Safari browser.
The long list includes 39 vulnerabilities fixed for macOS Sonoma version 14.2.
Among them are CVE-2023-42914, a kernel issue with the potential to allow apps to break out of their sandboxes; CVE-2023-42894, an AppleEvents issue that opens the door for apps to access a user's contacts without authorization; and two CVEs specific to Safari Webkit - an arbitrary code execution bug, CVE-2023-42890; and a denial-of service bug, CVE-2023-42883.
Monday's updates also included a dozen new fixes in iOS and iPadOS 17.2, eight of which apply equally to version 16.7.3.
They include CVE-2023-42922, which may have allowed apps to read sensitive location information via FindMy; CVE-2023-42923, enabling unauthenticated access to private browsing tabs; and CVE-2023-42897, discovered by a student at the University of Texas, in which an attacker with physical access to a device may have been able to take advantage of Siri to obtain sensitive user data.
Two Webkit vulnerabilities which had previously been patched on iPhones, iPads, and Macbooks have, as of Dec. 11, been patched for Apple Watches as well.
Apple noted that these vulnerabilities were reported to have been exploited in versions of iOS prior to 16.7.1.
First reported to the vendors back in early August, and made public as of last week, this CVE only affects Apple devices when Bluetooth is on and they're paired with a Magic Keyboard.
In such cases an attacker on a Linux computer with a standard Bluetooth adapter can inject keystrokes on a targeted device, performing any actions the victim could, in lieu of any authentication barriers.
In a GitHub ReadME, the researcher responsible for the discovery lamented persistent security issues affecting Bluetooth devices.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 12 Dec 2023 21:15:17 +0000