Apple has released security updates for several products to address a set of flaws that it says are being actively exploited.
Updates are available for these products:
|Safari 16.5.1||macOS Big Sur and macOS Monterey|
|iOS 16.5.1 and iPadOS 16.5.1||iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later|
|iOS 15.7.7 and iPadOS 15.7.7||iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)|
|macOS Ventura 13.4.1|
|macOS Monterey 12.6.7|
|macOS Big Sur 11.7.8|
|watchOS 9.5.2||Apple Watch Series 4 and later|
|watchOS 8.8.1||Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE|
CVE-2023-32434: a vulnerability in the Kernel due to an integer overflow. Successful exploitation would enable the attacker to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. This vulnerability was part of the so-called Operation Triangulation.
CVE-2023-32435: a memory corruption issue in the WebKit component for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.This vulnerability was also part of the so-called Operation Triangulation.
CVE-2023-32439: a type confusion issue in the WebKit component. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.
An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program.
Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters), if the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.
Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages. In the case of Operation Triangulation these were reportedly delivered via iMessage as zero-click exploits.
Always keep your systems up to date, contact us for how to keep your business secured on many levels.