Apple Patches Exploited Vulnerabilities in iOS/iPadOS, macOS, watchOS and Safari

Published: 2023-06-22
Last Updated: 2023-06-22 07:12:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple released iOS, macOS, and watchOS updates, patching three vulnerabilities already being exploited. Two vulnerabilities affect WebKit, leading to a Safari patch for older operating systems.
The two WebKit issues (CVE-2023-32439 and CVE-2023-32435) can be used to execute arbitrary code as a user visits a malicious web page. The third vulnerability, CVE-2023-32434, can be used to elevate privileges after the initial code execution. 
See below for affected operating systems. Apple does not provide CVSS scores, so we asked ChatGPT to fill them in.

Safari 16.5.1 iOS 16.5.1 and iPadOS 16.5.1 iOS 15.7.7 and iPadOS 15.7.7 macOS Ventura 13.4.1 macOS Monterey 12.6.7 macOS Big Sur 11.7.8 watchOS 9.5.2 watchOS 8.8.1
CVE-2023-32439 [critical] ChatGPT-CVSS: CVSS score: 9.8 (Critical) *** EXPLOITED *** WebKit
A type confusion issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
x x x x        
CVE-2023-32434 [important] ChatGPT-CVSS: 8.8 *** EXPLOITED *** Kernel
An integer overflow was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
  x x x x x x x
CVE-2023-32435 [critical] ChatGPT-CVSS: 7.8 *** EXPLOITED *** WebKit
A memory corruption issue was addressed with improved state management.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
    x          

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)

Comments


Diary Archives