APPLE RELEASE SECURITY PATCHES TO A LIST OF VUNERABLE PRODUCTS.

Apple has gone ahead to release security patches to a list of their vulnerable products. It has been one heck of a month from the WWDC2023, to the big unveiling of various new products.

While it is said apple works hard, it is not a myth that the bad guys (threat actors), works twice as hard to find some loop holes in the tech giant, and that involves their grandeurs products.

In a recent discovery from security updates disclosed on 21-june-2023, a list of apples products is said to be vulnerable to exploit-codes. An attacker could exploit the vulnerabilities found in them and of course take control of the said affected devices.

apple-vulneraility.png

Image source: fixitgearware.

The List of Updates  provided for affected products includes the following:

  • WatchOS 8.8.1
  • macOS Big Sur 11.7.8
  • macOS Monterey 12.6.7
  • iOS 15.7.7 and iPadOS 15.7.7
  • watchOS 9.5.2
  • macOS Ventura 13.4.1
  • iOS 16.5.1 and iPadOS 16.5.1

According to Apple Inc. it stated that:

“For our customer’s protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.” – Apple Inc.

Confirming the official statement from their support website, actually validates the vulnerability findings to be true.

WatchOS 8.8.1 Addresses Vulnerabilities:

The WatchOS 8.8.1 addresses the vulnerability found, which is said to affect the Kernel (The core of a computer program which has overall control of everything on a hardware from Applications, CPU (central Processing Unit), Memory (Ram), Devices).

This affects the apple watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE. This quite a whole lot of Siri’s (pun intended), that are affected. 

Description:

The vulnerability has an integer overflow, which is also known as a wraparound.

It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer.

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky.  

macOS Big Sur 11.7.8 Addresses Vulnerabilities:

The macOS Big Sur 11.7.8 addresses the vulnerability found in older versions of iOS released before the iOS 15.7. Users who are still running iOS version less than iOS 15.7, are easily exploited by this vulnerability. Attacker may execute arbitrary code with kernel privileges.

Description:

The vulnerability has an integer overflow, which is also known as a wraparound. It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer.

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

Apple Stated:

“We are aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7” 

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

macOS Monterey 12.6.7 Addresses Vulnerabilities:

The update addresses the vulnerability which allows an attacker, to execute arbitrary code using kernel privileges.

Description:

 The vulnerability has an integer overflow, which is also known as a wraparound. It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer.

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

iOS 15.77 and iPadOS 15.7.7 Addresses Vulnerabilities in:

Kernel:

The iOS 15.77 and iPadOS 15.7.7 addresses the vulnerability found in kernel for the following products iPhone 6S (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). Users still running older versions before the iOS15.7, are vulnerable to attacker exploiting the devices of the models stated above.

Description:

The vulnerability has an integer overflow, which is also known as a wraparound. It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer.

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

Webkit:

The iOS 15.77 and iPadOS 15.7.7 addresses the vulnerability found in Webkit for the following products iPhone 6S (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

Description:

The vulnerability type is a kind of confusion related exploit. This allows an attacker to force a signature verification different from the one intended when accessing a web-URL.

Impact:

 The vulnerability allows the processing of maliciously crafted web contents, which allows the attacker to execute arbitrary code on the victim’s device.

The vulnerability has a CVE, CVE-2023-32439, and was reported by an anonymous researcher.

Webkit:

The iOS 15.77 and iPadOS 15.7.7 addresses the vulnerability found in Webkit for the following products iPhone 6S (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

Description:

The vulnerability address is a memory type corruption. An attacker can successfully execute arbitrary code which in turn will crash device or even have a privilege access (privilege escalation), on the vulnerable device.

Impact:

 The vulnerability allows the processing of a web content to execute arbitrary code from the attacker.

The vulnerability has a CVE, CVE-2023-32435, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

watchOS 9.5.2 Addresses Vulnerabilities in:

Kernel:

The iOS watchOS 9.5.2 addresses the vulnerability found in kernel of all Apple Watch Series 4 and later.

Description:

The vulnerability has an integer overflow, which is also known as a wraparound.

It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer.

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

macOS Ventura 13.4.1 Addresses Vulnerabilities in:

Kernel:

The macOS Ventura 13.4.1 addresses the vulnerability found in kernel of macOS Ventura. 

Description:

The vulnerability has an integer overflow, which is also known as a wraparound.

It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer.

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

Webkit:

The macOS Ventura 13.4.1 addresses the vulnerability found in the Webkit of macOS Ventura.

Description:

The vulnerability type is a kind of confusion related exploit. This allows an attacker to force a signature verification different from the one intended when accessing a web-URL.

Impact:

 The vulnerability allows the processing of maliciously crafted web contents, which allows the attacker to execute arbitrary code on the victim’s device.

The vulnerability has a CVE, CVE-2023-32439, and was reported by an anonymous researcher.

iOS 16.5.1 and iPadOS 16.5.1 Addresses Vulnerabilities in:

Kernel:

The iOS 16.5.1 and iPadOS 16.5.1 addresses the vulnerability found in iPhone 8 or later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later.

Description:

The vulnerability has an integer overflow, which is also known as a wraparound.

It allows operation outputs of numeric value which falls outside the memory allocated space, and overflows the range of the given value of the integer

Impact:

An application installed on the device may be able to execute arbitrary codes with the kernel privileges. This will compromise the TRIAD in Cybersecurity (Confidentiality, Integrity, Availability).

The vulnerability has a CVE, CVE-2023-32434, and was reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky. 

Webkit:

The iOS 16.5.1 and iPadOS 16.5.1 addresses the vulnerability found in iPhone 8 or later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later.

Description:

The vulnerability type is a kind of confusion related exploit. This allows an attacker to force a signature verification different from the one intended when accessing a web-URL.

Impact:

 The vulnerability allows the processing of maliciously crafted web contents, which allows the attacker to execute arbitrary code on the victim’s device.

The vulnerability has a CVE, CVE-2023-32439, and was reported by an anonymous researcher.

Mitigation:

  • Users with the following devices, Series 3, Series 4, Series 5, Series 6, Series 7, and SE, running are advised to update to WatchOS 8.8.1.
  • Older version of macOS Big Sur, should update to macOS Big Sur 11.7.8
  • Older version of macOS Monterey, should update to macOS Monterey 12.6.7.
  • All models of the following device iPhone 6S (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation), should update to iOS 15.7.7 and iPadOS 15.7.7
  • Apple Watch Series 4 and later are to update their devices to watchOS 9.5.2
  • Older version of macOS Ventura, should update to macOS Ventura 13.4.1
  • Devices such as in iPhone 8 or later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later are advised to update their firmware to iOS 16.5.1 and iPadOS 16.5.1.

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments