Apple Family January 2024 1st Security Update Advisory

Jan 23 2024

Overview

Apple (https://apple.com) has released a security update that addresses a product vulnerability. Users of affected products are advised to update to the latest version.

Affected Products

MacOS Ventura

IPad Pro 12.9-inch 3rd generation and newer

IPad Pro 11-inch 1st generation and later

IPad Air 3rd generation and later

IPad 8th generation and later

IPad mini 5th generation and later

IPad Pro 12.9-inch 2nd generation and later

IPad Pro 10.5-inch

IPad 6th generation and later

IPhone XS and later

IPhone 8

IPhone 8 Plus

IPhone X

IPad 5th generation

IPad Pro 9.7-inch

IPad Pro 12.9-inch 1st generation

IPhone 6s (all models)

IPhone 7 (all models)

IPhone SE (1st generation)

IPad Air 2

IPad mini (4th generation)

IPod touch (7th generation)

MacOS Sonoma

MacOS Monterey

Apple Watch Series 9

Apple Watch Ultra 2

Apple Watch Series 4 and later

Apple TV HD

Apple TV 4K (all models)

Resolved Vulnerabilities

The following vulnerabilities were patched in the January 22, 2024 product-specific update

Safari 17.3

Vulnerability in the Safari feature that could allow a user’s private browsing activity to be displayed in Settings (CVE-2024-23211)

Vulnerability in WebKit functionality that could allow a user’s fingerprint to be taken from a maliciously crafted webpage (CVE-2024-23206)

Vulnerability in WebKit functionality that could allow arbitrary code execution (CVE-2024-23213)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

IOS 17.3 and iPadOS 17.3

Vulnerability in Apple Neural Engine functionality that could allow arbitrary code execution (CVE-2024-23212)

Vulnerability in CoreCrypto functionality that could allow an attacker to decrypt legacy rsa pkcs#1 v1.5 ciphertexts without a private key (CVE-2024-23218)

Vulnerability in the Kernel feature that could allow arbitrary code execution (CVE-2024-23208)

Vulnerability in Mail Search feature that could allow an app to access sensitive user data (CVE-2024-23207)

Vulnerability in the NSSpellChecker function that could allow an app to access sensitive user data (CVE-2024-23223)

Vulnerability in the Reset Services feature that could unexpectedly disable stolen device protection (CVE-2024-23219)

Vulnerability in the Safari feature that could allow a user’s private browsing activity to be displayed in settings (CVE-2024-23211)

Vulnerability in the Shortcuts feature that could allow shortcuts to consume sensitive data with certain actions without prompting the user (CVE-2024-23203, CVE-2024-23204)

Vulnerability in the Shortcuts feature that could allow apps to bypass certain privacy preferences (CVE-2024-23217)

Vulnerability in the TCC feature that could allow an app to access users’ sensitive data (CVE-2024-23215)

Vulnerability in the Time Zone feature that could allow an app to view a user’s phone number in system logs (CVE-2024-23210)

Vulnerability in the WebKit feature that could allow a user’s fingerprint to be taken from a maliciously crafted webpage (CVE-2024-23206)

Vulnerabilities in WebKit functionality that could allow arbitrary code execution (CVE-2024-23213, CVE-2024-23214)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

IOS 16.7.5 and iPadOS 16.7.5

Vulnerability in the Accessibility feature that could allow an app to access sensitive user data (CVE-2023-42937)

Vulnerability in the Apple Neural Engine feature that could allow arbitrary code execution (CVE-2024-23212)

Vulnerabilities in the curl function in the curl function (CVE-2023-38545, CVE-2023-38039, CVE-2023-38546, CVE-2023-42915)

Vulnerability in the ImageIO function that could allow maliciously crafted image handling to disclose process memory (CVE-2023-42888)

Vulnerability in Safari functionality that could allow a user’s private browsing activity to be displayed in settings (CVE-2024-23211)

Vulnerabilities in WebKit functionality that could allow arbitrary code execution (CVE-2024-23213, CVE-2024-23214)

Vulnerability in WebKit functionality that could allow a user’s fingerprint to be taken from a maliciously crafted webpage (CVE-2024-23206)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

IOS 15.8.1 and iPadOS 15.8.1

A vulnerability that could disclose sensitive information when processing web content in WebKit functions. Apple is aware of reports that this issue may have been exploited in iOS versions prior to iOS 16.7.1 (CVE-2023-42916)

Vulnerability in WebKit functionality that could allow arbitrary code execution (CVE-2023-42917)

MacOS Sonoma 14.3

Vulnerability in Apple Neural Engine functionality that could allow arbitrary code execution (CVE-2024-23212)

Vulnerability in the CoreCrypto feature that could allow an attacker to crack legacy rsa pkcs#1 v1.5 ciphers without a private key (CVE-2024-23218)

Vulnerability in Finder functionality that could allow apps to access sensitive user data (CVE-2024-23224)

Vulnerability in Kernel functions that could allow arbitrary code execution (CVE-2024-23208)

Vulnerability in LLVM functionality that could allow arbitrary code execution (CVE-2024-23209)

Vulnerability in Mail Search functionality that could allow an app to access sensitive user data (CVE-2024-23207)

Vulnerability in the NSSpellChecker feature that could allow an app to access sensitive user data (CVE-2024-23223)

Vulnerability in the Safari feature that could allow a user’s private browsing activity to be displayed in Settings (CVE-2024-23211)

Vulnerability in the Shortcuts feature that could allow shortcuts to use sensitive data with certain actions without prompting the user (CVE-2024-23203, CVE-2024-23204)

Vulnerability in the Shortcuts feature that could allow apps to bypass certain privacy preferences (CVE-2024-23217)

Vulnerability in the TCC feature that could allow an app to access users’ sensitive data (CVE-2024-23215)

Vulnerability in Time Zone feature that could allow an app to view a user’s phone number in system logs (CVE-2024-23210)

Vulnerability in the WebKit feature that could allow a user’s fingerprint to be taken from a maliciously crafted webpage (CVE-2024-23206)

Vulnerabilities in WebKit functionality that could allow arbitrary code execution (CVE-2024-23213, CVE-2024-23214)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

MacOS Ventura 13.6.4

Vulnerability in Apple Neural Engine feature that could allow arbitrary code execution (CVE-2024-23212)

Vulnerability in the Accessibility feature that could allow an app to access sensitive user data (CVE-2023-42937)

Vulnerability in the Core Data feature that could allow an app to bypass privacy preferences (CVE-2023-40528)

Vulnerabilities in the curl function in the curl feature (CVE-2023-38545, CVE-2023-38039, CVE-2023-38546, CVE-2023-42915)

Vulnerability in the Finder function that could allow an app to access sensitive user data (CVE-2024-23224)

Vulnerability in the ImageIO function that could allow maliciously crafted image handling to disclose process memory (CVE-2023-42888)

Vulnerability in LoginWindow functionality that could allow a local attacker to view the desktop of a previously logged in user in the quick user switching screen (CVE-2023-42935)

Vulnerability in the Mail Search feature that could allow an app to access sensitive user data (CVE-2024-23207)

Vulnerability in NSOpenPanel functionality that could allow an app to read arbitrary files (CVE-2023-42887)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

MacOS Monterey 12.7.3

Vulnerability in the Accessibility feature that could allow apps to access sensitive user data (CVE-2023-42937)

Vulnerability in the Apple Neural Engine feature that could allow arbitrary code execution (CVE-2024-23212)

Vulnerabilities in the curl function in the curl function (CVE-2023-38545, CVE-2023-38039, CVE-2023-38546, CVE-2023-42915)

Vulnerability in the ImageIO function that could result in process memory disclosure when handling maliciously crafted images (CVE-2023-42888)

Vulnerability in the Mail Search feature that could allow an app to access sensitive user data (CVE-2024-23207)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

WatchOS 10.3

Vulnerability in Apple Neural Engine feature that could allow arbitrary code execution (CVE-2024-23212)

Vulnerability in CoreCrypto functionality that could allow an attacker to decrypt legacy rsa pkcs#1 v1.5 ciphers without a private key (CVE-2024-23218)

Vulnerability in the Kernel feature that could allow arbitrary code execution (CVE-2024-23208)

Vulnerability in Mail Search feature that could allow an app to access sensitive user data (CVE-2024-23207)

Vulnerability in the NSSpellChecker feature that could allow an app to access sensitive user data (CVE-2024-23223)

Vulnerability in the Safari feature that could allow a user’s private browsing activity to be displayed in Settings (CVE-2024-23211)

Vulnerability in the Shortcuts feature that could allow shortcuts to use sensitive data with certain actions without prompting the user (CVE-2024-23204)

Vulnerability in the Shortcuts feature that could allow an app to bypass certain privacy preferences (CVE-2024-23217)

Vulnerability in the TCC feature that could allow an app to access user sensitive data (CVE-2024-23215)

Vulnerability in the Time Zone feature that could allow an app to view a user’s phone number in system logs (CVE-2024-23210)

Vulnerability in the WebKit feature that could allow a user’s fingerprint to be taken from a maliciously crafted webpage (CVE-2024-23206)

Vulnerability in WebKit functionality that could allow arbitrary code execution (CVE-2024-23213)

TvOS 17.3

Vulnerability in Apple Neural Engine functionality that could allow arbitrary code execution (CVE-2024-23212)

Vulnerability in CoreCrypto functionality that could allow an attacker to decrypt legacy rsa pkcs#1 v1.5 ciphertexts without a private key (CVE-2024-23218)

Vulnerability in Kernel functions that could allow arbitrary code execution (CVE-2024-23208)

Vulnerability in the NSSpellChecker function that could allow an app to access sensitive user data (CVE-2024-23223)

Vulnerability in the TCC feature that could allow an app to access sensitive user data (CVE-2024-23215)

Vulnerability in the Time Zone feature that could allow an app to view a user’s phone number in system logs (CVE-2024-23210)

Vulnerability in the WebKit feature that could allow a user’s fingerprint to be taken from a maliciously crafted webpage (CVE-2024-23206)

Vulnerability in WebKit functionality that could allow arbitrary code execution (CVE-2024-23213)

Type confusion vulnerability in web content handling that could allow arbitrary code execution (CVE-2024-23222)

Vulnerability Patches

Security Bulletins and Advisories

https://support.apple.com/en-us/HT201222

Safari 17.3

https://support.apple.com/kb/HT214056

IOS 17.3 and iPadOS 17.3

https://support.apple.com/kb/HT214059

IOS 16.7.5 and iPadOS 16.7.5

https://support.apple.com/kb/HT214063

IOS 15.8.1 and iPadOS 15.8.1

https://support.apple.com/kb/HT214062

MacOS Sonoma 14.3

https://support.apple.com/kb/HT214061

MacOS Ventura 13.6.4

https://support.apple.com/kb/HT214058

MacOS Monterey 12.7.3

https://support.apple.com/kb/HT214057

WatchOS 10.3

https://support.apple.com/kb/HT214060

TvOS 17.3

https://support.apple.com/kb/HT214055

Apple Family January 2024 1st Security Update Advisory

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Apache Tomcat Product Security Update Advisory (CVE-2024-21733)

GitHub Enterprise Server Security Update Advisory (CVE-2024-0200)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Tags:

Apache Tomcat Product Security Update Advisory (CVE-2024-21733)

GitHub Enterprise Server Security Update Advisory (CVE-2024-0200)