Apple rolled out a comprehensive set of security updates on Monday, including the critical CVE-2023-45866, addressing severe vulnerabilities across multiple platforms.
The updates cover iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser, with a focus on fixing security flaws and backporting solutions for two recently discovered zero-day vulnerabilities to older devices.
iOS and iPadOS Updates, CVE-2023-45866
The security patches for iOS and iPadOS, labeled versions 17.2, provide fixes for 12 security vulnerabilities affecting various components such as AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. Notably, the updates address a critical security issue identified as CVE-2023-45866, brought to light by security researcher Marc Newlin from SkySafe.
This vulnerability posed a significant threat, allowing attackers in a privileged network position to inject keystrokes by spoofing a keyboard. Apple has responded promptly by implementing improved checks in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2.
macOS Sonoma 14.2: Addressing 39 Vulnerabilities
For macOS users, the Sonoma 14.2 update addresses a total of 39 shortcomings, including six bugs affecting the ncurses library. This underscores Apple’s commitment to enhancing the security posture of its desktop operating system.
Safari 17.2 Updates
Apple has also released Safari 17.2, focusing on addressing two critical WebKit flaws (CVE-2023-42890 and CVE-2023-42883). These flaws had the potential to lead to arbitrary code execution and a denial-of-service (DoS) condition. The update is ready for Macs running macOS Monterey and macOS Ventura.
In addition to addressing the identified vulnerabilities, iOS 17.2 and iPadOS 17.2 include a security upgrade in the form of Contact Key Verification. This feature enhances the privacy of iMessage conversations by enabling users to verify the contacts they are communicating with. Apple emphasized in a technical advisory in October 2023 that these improvements protect against key directory compromise and compromise of the transparency service itself.
Simultaneously, Apple has also rolled out iOS 16.7.3 and iPadOS 16.7.3, closing out eight security issues. Of particular concern were two WebKit vulnerabilities (CVE-2023-42916 and CVE-2023-42917), previously disclosed by Redmond and actively exploited in the wild. These vulnerabilities have been successfully patched in tvOS 17.2 and watchOS 10.2, showcasing Apple’s commitment to addressing potential threats across its entire ecosystem.
As of now, there are limited details available regarding the nature of the exploitation and the threat actors involved. Apple’s prompt and comprehensive response to these vulnerabilities highlights its dedication to providing a secure and resilient environment for its users. Users are strongly encouraged to update their devices to the latest software versions to ensure they benefit from the enhanced security measures introduced by these updates.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: