Apple security updates fix 33 iPhone vulnerabilities

Apple has released fixes for a total of 33 confirmed vulnerabilities in its latest update to iOS and iPadOs, the mobile operating systems that run on its iPhone and iPad lines, including two series issues that may affect device kernels.

The new versions, iOS 16.4 for iPhone and iPadOS 16.4 for iPad, are available to download now through the usual channels. Consumer users can check their update status by accessing Settings – General – Software Update, although they may find the update has been applied automatically.

To protect its customers and give as many as possible a chance to take advantage of automated upgrade procedures, Apple does not disclose, discuss or confirm any security issues until they have been thoroughly investigated and patches or new releases made available if needed. As such, full details of their precise nature are, as usual, sparse.

The two vulnerabilities affecting the operating system core kernel are currently being tracked as CVE-2023-27969, attributed to Adam Doupé of Arizona State University’s Laboratory of Security Engineering for Future Computing (SEFCOM), and CVE-2023-27933, attributed to an individual going by the handle sqrtpwn, who has previously disclosed other kernel-linked vulnerabilities in Apple products.

In the first case, exploitation could lead to an app being able to execute arbitrary code on the system with kernel privileges. The same applies in the second instance, although in this case the app would also need to have root privileges on the system. Both issues are addressed with improved memory management and handling.

Due to the critical nature of the jobs that the kernel performs on any operating system, vulnerabilities that affect it are valued by threat actors for the high-level access they may grant. As such, the updates should be prioritised.

The update also fixes three vulnerabilities in Apple Neural Engine that could lead to arbitrary code execution with kernel privileges, vulnerabilities in AppleMobileFileIntegrity, Calendar, Find My, Identity Services, Photos, Podcasts and Sandbox that could lead to user data exposure, and two vulnerabilities in WebKit.

The security updates can be applied to all models of iPhone 8 and later, all models of iPad Pro, third-generation models and later models of iPad Air, fifth-generation and later models of iPad, and fifth-generation and later models of iPad mini.

The update also includes other product enhancements and, crucially, over 20 new emojis including a donkey, ginger root, a goose, a jellyfish, and some maracas.

Older versions of iOS and iPadOS are also receiving updates to version 15.7.4, covering all models of iPhone 6s, iPhone 7, first generation iPhone SE, iPad Air 2, fourth generation iPad Mini, and seventh generation iPod touch.

This update fixes 16 vulnerabilities, including another WebKit vulnerability – CVE-2023-23529 – that may lead to arbitrary code execution if the device processes maliciously crafted web content. There have been reports that this bug is being actively exploited in the wild. Given Apple’s security policies, there is no indication of how it is being exploited, or any indicators of compromise (IoCs) at this time.

There are also patches available for watchOS, taking it to version 9.4, and tvOS to 16.4. At the same time, organisations operating Mac estates should prioritise updates to macOS versions Big Sur (11.7.5), Monterey (12.6.4) and Ventura (13.3). There is also a security update for the Safari browser.