Patches for Apple vulnerabilities have been released after security researchers alerted the company.
The Zero Day Initiative disclosed multiple vulnerabilities that were discovered by Zero Day Initiative researchers. These have been revealed only after patches for these vulnerabilities were released by the affected vendor.
The ZDI advisory listed seven Apple vulnerabilities that were found in multiple Apple software including macOS, Safari, WebKit, GarageBand and more. Patches for these have been released and users are urged to update the same.
The following seven Apple vulnerabilities were noted in the Zero Day Initiative advisory
- CVE-2023-27929 with a CVSS score of 3.3 was found in macOS.
- CVE-2022-42798 with a CVSS score of 3.3 was found on macOS.
- CVE-2022-32922 with a CVSS score of 8.8 was found in Safari.
- CVE-2022-32912 with a CVSS score of 4.3 was found in WebKit.
- CVE-2022-32797 with a CVSS score of 3.3 was found in macOS.
- CVE-2023-27938 with a CVSS score of 3.3 was found in GarageBand.
- CVE-2023-23519 with a CVSS score of 3.3 was found in macOS.
Details about the vulnerabilities in Apple products
Security incidents or issues exploiting the above Apple vulnerabilities was not disclosed in the company advisories.
“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page,” read the Apple report.
- CVE-2023-27929 can allow hackers to access sensitive data on unpatched systems. Malicious KTX images can trigger a read past the end of an allocated buffer which when teamed with other vulnerabilities could be leveraged to run arbitrary code. The bug is fixed in macOS Ventura 13.3, tvOS 16.4, watchOS 9.4, iOS 16.4, and iPadOS 16.4. An update has been released for this vulnerability.
- CVE-2022-42798 would allow a maliciously created audio file to expose user information on unpatched systems. The issue has been fixed in tvOS 16.1, iOS 15.7.1, iPadOS 15.7.1, macOS Ventura 13, watchOS 9.1, and iOS 16.1, iPadOS 16, macOS Monterey 12.6.1, and macOS Big Sur 11.7.1. A patch has been released to address this vulnerability in Apple products.
- CVE-2022-32922 can allow hackers to run arbitrary code on affected systems however, user interaction is needed for an exploit to take place like clicking an infected page. The bug was fixed in Safari 16.1, iOS 16.1 and iPadOS 16, and macOS Ventura 13. A patch was made available for this vulnerability in Apple products.
- CVE-2022-32912 can allow hackers to access sensitive information on affected Apple WebKit. The bug was fixed in Safari 16, iOS 16, iOS 15.7, and iPadOS 15.7. A patch was made available for users as published by the company patch update page.
- CVE-2022-32797, like most other vulnerabilities in Apple products mentioned here, this bug can allow hackers to access sensitive information on unpatched devices. The issue has been patched in macOS Big Sur 111.6.8, and macOS Monterey 12.5. Patch details can be found on the company advisory.
- CVE-2023-27938 was addressed with improved input validation. Parsing the hacker’s MIDI file can lead to application termination on unpatched software. It is fixed in GarageBand for macOS 10.4.8.
- CVE-2023-23519 exists in the ImageIO framework wherein malicious KTX image when processed could a denial of service attack. The bug is fixed in macOS Ventura 13.2, tvOS 16.3, iOS 16.3, and iPadOS 16.3, and watchOS 9.3. Users are urged to upgrade to the latest patch release to avoid leaving their systems open to violation.
Crucial to patch vulnerabilities in Apple and other devices
Over 95% of all cyberattacks thrive on vulnerabilities. The vulnerability may be a zero-day without a patch released or one with updates made available that were missed by users. It is crucial for enterprises to put a patch management process in place, which is only at 30% according to a recent study on patch management.
With 82% of successful cyberattacks attributed to exploiting vulnerabilities with a patch available, it is a case of gross negligence on the part of users and companies that do not make adequate effort to make sure systems are patched, usually with a press of a button, or automatically.
When the average cost of a data breach due to an unpatched vulnerability creates a loss of around $3.86 million, and causes a shutdown of businesses by 29%, it is a wakeup call to apply patches and put automatic software updates set on each and every device.