My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Apple Updates Everything (again)

Published: 2023-07-24. Last Updated: 2023-07-24 18:18:56 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple released one of its usual "step" upgrades for its operating systems. This covers iOS, iPadOS, macOS, tvOS and watchOS. The update also includes the vulnerability patched in the last rapid security response update.

Our "ChatGPT CVSS calculator" didn't work well this time. I still left the scores in, but if you see "0", "?" or "unknown,": This means ChatGPT didn't respond with a CVSS score.

iOS 16.6 and iPadOS 16.6 iOS 15.7.8 and iPadOS 15.7.8 macOS Ventura 13.5 macOS Monterey 12.6.8 macOS Big Sur 11.7.9 tvOS 16.6 watchOS 9.6
CVE-2023-38136 [important] ChatGPT-CVSS: 9.8 Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x           x
CVE-2023-38580 [important] ChatGPT-CVSS: ?  Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x   x       x
CVE-2023-32416 [important] ChatGPT-CVSS: unknown Find My
A logic issue was addressed with improved restrictions.
An app may be able to read sensitive location information
x x x x     x
CVE-2023-32734 [important] ChatGPT-CVSS: unknown. Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x   x     x x
CVE-2023-32441 [important] ChatGPT-CVSS: 8.8 Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x x x x x x x
CVE-2023-38261 [important] ChatGPT-CVSS: unknown. Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x   x        
CVE-2023-38424 [important] ChatGPT-CVSS: unknown Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x   x        
CVE-2023-38425 [important] ChatGPT-CVSS: 9.8 Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x   x        
CVE-2023-38606 [moderate] ChatGPT-CVSS: unknown. *** EXPLOITED *** Kernel
This issue was addressed with improved state management.
An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
x x x x x x x
CVE-2023-32381 [important] ChatGPT-CVSS:  unkown. Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges
x   x x x x x
CVE-2023-32433 [important] ChatGPT-CVSS: Unknown. Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges
x x x x x x x
CVE-2023-35993 [important] ChatGPT-CVSS: Unknown. Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges
x x x x x x x
CVE-2023-38410 [important] ChatGPT-CVSS: 0 Kernel
The issue was addressed with improved checks.
A user may be able to elevate privileges
x   x        
CVE-2023-38603 [moderate] ChatGPT-CVSS: 0 Kernel
The issue was addressed with improved checks.
A remote user may be able to cause a denial-of-service
x   x        
CVE-2023-38565 [important] ChatGPT-CVSS: 7.0. libxpc
A path handling issue was addressed with improved validation.
An app may be able to gain root privileges
x   x x x   x
CVE-2023-38593 [important] ChatGPT-CVSS: 0 libxpc
A logic issue was addressed with improved checks.
An app may be able to cause a denial-of-service
x   x x x   x
CVE-2023-32437 [important] ChatGPT-CVSS: 0 NSURLSession
The issue was addressed with improvements to the file handling protocol.
An app may be able to break out of its sandbox
x            
CVE-2023-38572 [moderate] ChatGPT-CVSS: 0 WebKit
The issue was addressed with improved checks.
A website may be able to bypass Same Origin Policy
x x x     x x
CVE-2023-38594 [critical] ChatGPT-CVSS: unknown. WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution
x x x     x x
CVE-2023-38595 [critical] ChatGPT-CVSS: 0 WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution
x   x     x x
CVE-2023-38600 [critical] ChatGPT-CVSS: unknown. WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution
x   x     x x
CVE-2023-38611 [critical] ChatGPT-CVSS: 8.1 WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
x   x     x x
CVE-2023-37450 [critical] ChatGPT-CVSS: 8.2 *** EXPLOITED *** WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
x   x     x x
CVE-2023-38597 [critical] ChatGPT-CVSS: 8.6 WebKit Process Model
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution
x x x        
CVE-2023-38133 [moderate] ChatGPT-CVSS: 0 WebKit Web Inspector
The issue was addressed with improved checks.
Processing web content may disclose sensitive information
x x x     x x
CVE-2023-23540 [important] ChatGPT-CVSS: unknown  Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
  x          
CVE-2023-32409 [moderate] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit
The issue was addressed with improved bounds checks.
A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
  x          
CVE-2023-36862 [moderate] ChatGPT-CVSS: unknown AppleMobileFileIntegrity
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
An app may be able to determine a user?s current location
    x        
CVE-2023-32364 [moderate] ChatGPT-CVSS: 0 AppSandbox
A logic issue was addressed with improved restrictions.
A sandboxed process may be able to circumvent sandbox restrictions
    x        
CVE-2023-35983 [important] ChatGPT-CVSS: 8.2 Assets
This issue was addressed with improved data protection.
An app may be able to modify protected parts of the file system
    x x x    
CVE-2023-28319 [moderate] ChatGPT-CVSS: unknown. curl
Multiple issues were addressed by updating curl.
Multiple issues in curl
    x x x    
CVE-2023-28320 [moderate] ChatGPT-CVSS: 0 curl
Multiple issues were addressed by updating curl.
Multiple issues in curl
    x x x    
CVE-2023-28321 [moderate] ChatGPT-CVSS: unknown. curl
Multiple issues were addressed by updating curl.
Multiple issues in curl
    x x x    
CVE-2023-28322 [moderate] ChatGPT-CVSS: unknown. curl
Multiple issues were addressed by updating curl.
Multiple issues in curl
    x x x    
CVE-2023-32418 [moderate] ChatGPT-CVSS: 4.0 Grapher
The issue was addressed with improved checks.
Processing a file may lead to unexpected app termination or arbitrary code execution
    x x x    
CVE-2023-36854 [moderate] ChatGPT-CVSS: unknown. Grapher
The issue was addressed with improved checks.
Processing a file may lead to unexpected app termination or arbitrary code execution
    x x x    
CVE-2023-38258 [important] ChatGPT-CVSS: 0 Model I/O
The issue was addressed with improved checks.
Processing a 3D model may result in disclosure of process memory
    x x      
CVE-2023-38421 [important] ChatGPT-CVSS: 0 Model I/O
The issue was addressed with improved checks.
Processing a 3D model may result in disclosure of process memory
    x x      
CVE-2023-2953 [moderate] ChatGPT-CVSS: 0 OpenLDAP
The issue was addressed with improved memory handling.
A remote user may be able to cause a denial-of-service
    x x x    
CVE-2023-38259 [important] ChatGPT-CVSS: 0 PackageKit
A logic issue was addressed with improved restrictions.
An app may be able to access user-sensitive data
    x x x    
CVE-2023-38564 [important] ChatGPT-CVSS: 0 PackageKit
The issue was addressed with improved checks.
An app may be able to modify protected parts of the file system
    x        
CVE-2023-38602 [important] ChatGPT-CVSS: 0 PackageKit
A permissions issue was addressed with additional restrictions.
An app may be able to modify protected parts of the file system
    x x x    
CVE-2023-32442 [moderate] ChatGPT-CVSS: 0 Shortcuts
An access issue was addressed with improved access restrictions.
A shortcut may be able to modify sensitive Shortcuts app settings
    x x      
CVE-2023-32443 [moderate] ChatGPT-CVSS: 0 sips
An out-of-bounds read was addressed with improved input validation.
Processing a file may lead to a denial-of-service or potentially disclose memory contents
    x x x    
CVE-2023-32429 [important] ChatGPT-CVSS: unknown. SystemMigration
The issue was addressed with improved checks.
An app may be able to bypass Privacy preferences
    x        
CVE-2023-38608 [important] ChatGPT-CVSS: unknown. Voice Memos
The issue was addressed with additional permissions checks.
An app may be able to access user-sensitive data
    x        

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments


Diary Archives