Dozens of Bugs Patched in Apple TVs and Watches, Macs, iPads, iPhones

On Dec. 11, Apple released patches for dozens of vulnerabilities affecting iPhones, Macs, Apple TVs, Apple Watches, and its Safari browser.

The long list includes 39 vulnerabilities fixed for macOS Sonoma version 14.2.

Among them are CVE-2023-42914, a kernel issue with the potential to allow apps to break out of their sandboxes; CVE-2023-42894, an AppleEvents issue that opens the door for apps to access a user's contacts without authorization; and two CVEs specific to Safari Webkit — an arbitrary code execution bug, CVE-2023-42890; and a denial-of service bug, CVE-2023-42883.

Monday's updates also included a dozen new fixes in iOS and iPadOS 17.2, eight of which apply equally to version 16.7.3.

They include CVE-2023-42922, which may have allowed apps to read sensitive location information via FindMy; CVE-2023-42923, enabling unauthenticated access to private browsing tabs; and CVE-2023-42897, discovered by a student at the University of Texas, in which an attacker with physical access to a device may have been able to take advantage of Siri to obtain sensitive user data.

Notable CVEs in Apple Watch, Bluetooth

Two Webkit vulnerabilities which had previously been patched on iPhones, iPads, and Macbooks have, as of Dec. 11, been patched for Apple Watches as well. CVE-2023-42916, assigned a 6.5 "Medium" CVSS score, and CVE-2023-42917 — 8.8 "High" — both "allow attackers to access sensitive information through out-of-bounds reads and execute remote code execution (RCE) via memory corruption through malicious webpages," explains Mike Walters, president and co-founder of Action1.

Apple noted that these vulnerabilities were reported to have been exploited in versions of iOS prior to 16.7.1. "Given the researcher's previous work," Walters says of the Google TAG analyst responsible for their discovery, "it suggests that they are related to spyware or an APT. However, as usual, the vendor won't disclose this information."

Another line item that made recent headlines is CVE-2023-45866, an authentication bypass vulnerability affecting macOS and iOS, as well as Linux and Android.

First reported to the vendors back in early August, and made public as of last week, this CVE only affects Apple devices when Bluetooth is on and they're paired with a Magic Keyboard. In such cases, though, an attacker on a Linux computer with a standard Bluetooth adapter can inject keystrokes on a targeted device, performing any actions the victim could, in lieu of any authentication barriers.

RedHat assigned CVE-2023-45866 a 7.1 CVSS score, qualifying it as "High" severity.

In a GitHub ReadME, the researcher responsible for the discovery lamented persistent security issues affecting Bluetooth devices. "I'm really not sure what sort of wireless keyboard to recommend at this point," he wrote. "If you are reading this and you make a secure wireless keyboard, please send me one so I can hack it for you."