Apple releases several updates for zero days

Topic

New Reply

Apple is once again sending out zero day fixes including backporting fixes to older iPhones. Several of these have to do with bugs in webkit and keep
[See the full post at: Apple releases several updates for zero days]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

lmacri, jburk07, Alex5723

Reply | Quote

Replies

iOS 17.2 release notes

Updated HomePod software 17.2.
“performance and stability improvements”.

Reply | Quote

MacOS Sonoma 14.2 security fixes :

Accessibility

Available for: macOS Sonoma

Impact: Secure text fields may be displayed via the Accessibility Keyboard when using a physical keyboard

Description: This issue was addressed with improved state management.

CVE-2023-42874: Don Clarke

Accounts

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents

Available for: macOS Sonoma

Impact: An app may be able to access information about a user’s contacts

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl

Available for: macOS Sonoma

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2023-42901: Ivan Fratric of Google Project Zero

CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-42912: Ivan Fratric of Google Project Zero

CVE-2023-42903: Ivan Fratric of Google Project Zero

CVE-2023-42904: Ivan Fratric of Google Project Zero

CVE-2023-42905: Ivan Fratric of Google Project Zero

CVE-2023-42906: Ivan Fratric of Google Project Zero

CVE-2023-42907: Ivan Fratric of Google Project Zero

CVE-2023-42908: Ivan Fratric of Google Project Zero

CVE-2023-42909: Ivan Fratric of Google Project Zero

CVE-2023-42910: Ivan Fratric of Google Project Zero

CVE-2023-42911: Ivan Fratric of Google Project Zero

CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42882: Ivan Fratric of Google Project Zero

Archive Utility

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder

Available for: macOS Sonoma

Impact: An app may be able to disclose kernel memory

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42884: an anonymous researcher

Bluetooth

Available for: macOS Sonoma

Impact: An attacker in a privileged network position may be able to inject keystrokes by spoofing a keyboard

Description: The issue was addressed with improved checks.

CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback

Available for: macOS Sonoma

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices

Available for: macOS Sonoma

Impact: A user may be able to cause unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

ExtensionKit

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My

Available for: macOS Sonoma

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO

Available for: macOS Sonoma

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit

Available for: macOS Sonoma

Impact: An app may be able to monitor keystrokes without user permission

Description: An authentication issue was addressed with improved state management.

CVE-2023-42891: an anonymous researcher

Kernel

Available for: macOS Sonoma

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

ncurses

Available for: macOS Sonoma

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2020-19185

CVE-2020-19186

CVE-2020-19187

CVE-2020-19188

CVE-2020-19189

CVE-2020-19190

SharedFileList

Available for: macOS Sonoma

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved checks.

CVE-2023-42842: an anonymous researcher

TCC

Available for: macOS Sonoma

Impact: An app may be able to access protected user data

Description: A logic issue was addressed with improved checks.

CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim

Available for: macOS Sonoma

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: This issue was addressed by updating to Vim version 9.0.1969.

CVE-2023-5344

WebKit

Available for: macOS Sonoma

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830
CVE-2023-42890: Pwn2car

WebKit

Available for: macOS Sonoma

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349
CVE-2023-42883: Zoom Offensive Security Team

Reply | Quote

Safari update.
Safari 17.2 Security content of Safari 17.2

1 user thanked author for this post.

Myst

Reply | Quote

I’m curious. I have an iPhone SE (2nd edition) with iOS 16.7.2. The table says iOS 16.7.3 is available for “iPhone 8 and later” so why is my iPhone now only offering me iOS 17.2? With the last update, I was offered iOS 16.7.2 and iOS 17. I chose iOS 16.7.2 and would like to continue with iOS 16.7.3 if possible!

Thank,

Steve H.

1 user thanked author for this post.

Deo

Reply | Quote

In Settings\General\About verify you are on iOS 16.7.2

Then under Software Updates, scroll down and look under the iOS 17.2 and see it there is a “more” options link for 16.7.3. If so, choose that.

Reply | Quote

I checked on my Ipad 8th gen ios 16.7.2 and it is only offering 17.2 with no “more” options. I too have an SE2, thus will await to see if they offer 16.7.3 in a few days. In the past, I’ve found apple delays the ‘more’ option for approx a week as they try to get an uptick on 17.2. I hope that is the case. Like others, I don’t like being ‘forced’, esp on such a big leap from 16’s to 17’s with features of no interest to me (that will likely tax my older SE2).

Reply | Quote

APPLE-SA-12-11-2023-8 watchOS 10.2

watchOS 10.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214041.

APPLE-SA-12-11-2023-7 tvOS 17.2

tvOS 17.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214040.

APPLE-SA-12-11-2023-5 macOS Ventura 13.6.3

macOS Ventura 13.6.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214038.

APPLE-SA-12-11-2023-6 macOS Monterey 12.7.2

macOS Monterey 12.7.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214037.

APPLE-SA-12-11-2023-4 macOS Sonoma 14.2

macOS Sonoma 14.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214036.

APPLE-SA-12-11-2023-3 iOS 16.7.3 and iPadOS 16.7.3

iOS 16.7.3 and iPadOS 16.7.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214034.

APPLE-SA-12-11-2023-2 iOS 17.2 and iPadOS 17.2

iOS 17.2 and iPadOS 17.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214035.

APPLE-SA-12-11-2023-1 Safari 17.2

Safari 17.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214039.

Reply | Quote

on my iphone 12 I see the update prompt for 17.2, but I don’t have an option to download 16.7.3 (I’m currently on 16.7.2 How do I get 16.7.3?

Reply | Quote

See #2610884. Does that work for you?

1 user thanked author for this post.

curious leo

Reply | Quote

curious leo wrote:

on my iphone 12 I see the update prompt for 17.2, but I don’t have an option to download 16.7.3 (I’m currently on 16.7.2 How do I get 16.7.3?

If you are offered 17.2 why do you want 16.7.3 ? Do you think it is more stable/secure ?
I am running 17.2 betas/RC on iPhone and iPad for weeks with zero problems.

1 user thanked author for this post.

curious leo

Reply | Quote

Thanks for the link PKCano.   I went ahead and upgraded to 17.2

Alex5723 – I just wanted the choice.  I’m perfectly happy with 16.7.2.   I was planning on eventually upgrading to 17.x, but I just don’t appreciate apple forcing it on me.

1 user thanked author for this post.

Alex5723

Reply | Quote

curious leo wrote:

but I just don’t appreciate apple forcing it on me.

Apple is forcing OS updates (and blocking OS downgrade) as to be sure users are running the most secure, private… OS version.
16.7.3 doesn’t have the new 17.2 features.

Reply | Quote

iPhone 8 16.7.2 -> 16.7.3
iPhone XR 16.7.2 -> 17.2
iPad Air 4 16.7.2 -> 17.2

If Apple had offered iOS 16.7.3 on my “newer” iPhones as well as 17.2 I would have preferred to update to that as I would prefer to stay on 16 for a while longer. Well, we know Apple wants to force users to the “latest and greatest” and will normally only allow one or two months before the previous iOS / iPadOS is deemed not to be the latest and greatest.

In my limited testing so far iOS / iPadOS 17.2 does not seem to have any significant issues. In particular it does not have the WiFi connection problems which seemed to have plagued earlier versions of 17. I will wait a few more days until the next charge cycle for my iPhones 13 / SE 2 just to see if I find any significant problems with 17.2. If not then I shall probably update my 13 / SE 2 then.

I believe the time to update the operating systems like Windows and iOS on the devices I use should be entirely up to me, and not to Apple or Microsoft, and certainly I do not agree with those people who say something to the tone of “You must update/upgrade to the latest versions immediately or as soon as they are available or you are doomed.” I alone will decide when to update them, and the fact that they are available now does not mean I have to update now. I will wait for as long as I want until I can be reasonably certain updating/upgrading will not bring any significant issues to me.

I appreciate Apple for allowing me to turn off automatic updates completely on iOS and MacOS and allowing me to decide when I will update.

Hope for the best. Prepare for the worst.

1 user thanked author for this post.

curious leo

Reply | Quote

James Bond 007 wrote:

If Apple had offered iOS 16.7.3 on my “newer” iPhones as well as 17.2 I would have preferred to update to that as I would prefer to stay on 16 for a while longer.

It does offer both to 16.7.2 users.
You have to scroll down on the update screen to see the offer for 16.7.3

1 user thanked author for this post.

curious leo

Reply | Quote

PS You can still restore your backup from iCloud to get to 16.7.2 and then update to 16.7.3

1 user thanked author for this post.

curious leo

Reply | Quote

Thanks Alex, but do you have a screen shot of ‘16.7.3’ being offered as an option vs 17.2 for an SE2 or an ipad 8th gen? That would be helpful. As per my post 2611167 above, there is no such option?

Reply | Quote

Alex5723 wrote:

James Bond 007 wrote:

If Apple had offered iOS 16.7.3 on my “newer” iPhones as well as 17.2 I would have preferred to update to that as I would prefer to stay on 16 for a while longer.

It does offer both to 16.7.2 users.
You have to scroll down on the update screen to see the offer for 16.7.3

It does not. As I think you have now recognized.

No iOS devices that can be upgraded to 17 will be offered 16.7.3 and later versions of 16.

I saw that on my iPhone SE 2, iPhone XR and iPhone 13, and on my father’s iPhone 12 Pro and iPhone SE 3, and on my iPad Air 4. They were all offered 17.2 only.

I was quite amused when I saw that some of you still believed that iOS 16.7.3 and iOS 17.2 will still be offered concurrently on iOS devices that can run iOS 17. Once I saw some time ago that Apple no longer considered iOS 16.7.2 the “latest” version and I was encouraged to upgrade to iOS 17.1.1 I knew from that point on no future iOS 16 version will be offered to iOS devices that can run 17.

How do I know? Apple did something similar last year. When iOS 15.7.2 was released last year, the iPhone 8, which can run 16, was only offered 16.2. While the iPhone 7 which Apple deemed unable to run 16 was offered 15.7.2. I have the iPhone 7 and 8 so I knew this first hand. Of course, any iPhone 8 or later which was on older versions was only offered 16 at that time including my iPhone SE 2 and XR.

My conclusion : What Apple seems to do when a new iOS major version is released is to keep the older version concurrently offered for a while on devices that can run both versions. After a while (this year seems to be the middle of November, about two months after the release of iOS 17), the older version will no longer be offered to devices that can run the new version. All iOS devices that can run the new version will only be offered the new version via the Settings app.

Hope for the best. Prepare for the worst.

Reply | Quote

Just updated Ipad to version 17.2 and seems to work fine

Reply | Quote

Deo wrote:

Thanks Alex, but do you have a screen shot of ‘16.7.3’ being offered as an option vs 17.2 for an SE2 or an ipad 8th gen?

No, I don’t have a screen shot. I am running betas OS.

Reply | Quote

Deo wrote:

Thanks Alex, but do you have a screen shot of ‘16.7.3’ being offered as an option vs 17.2 for an SE2 or an ipad 8th gen? That would be helpful. As per my post 2611167 above, there is no such option?

You can download .IPSW 16.7.3 for your device(s) and downgrade from 17.2

Reply | Quote

Alex5723 wrote:

Deo wrote:

Thanks Alex, but do you have a screen shot of ‘16.7.3’ being offered as an option vs 17.2 for an SE2 or an ipad 8th gen? That would be helpful. As per my post 2611167 above, there is no such option?

You can download .IPSW 16.7.3 for your device(s) and downgrade from 17.2

Correction : Apple doesn’t offer 16.7.3 to iPhone SE 2020

Reply | Quote

James Bond 007 wrote:

All iOS devices that can run the new version will only be offered the new version via the Settings app.

It worked in the past with iOS 15.x – iOS 16

You probably got a similar screen running iOS 16.7.x when iOS 17 has been released.

Reply | Quote