InfoSecBulletin Cybersecurity for mankind
Apple on Thursday released security updates for its operating systems to patch dozens of vulnerabilities that could expose iPhones and Macs to hacker attacks, including three zero-days affecting the WebKit browser engine.
Two of the actively exploited vulnerabilities, CVE-2023-28204 and CVE-2023-32373, have been reported to the tech giant by an anonymous researcher. Their exploitation can lead to sensitive information disclosure and arbitrary code execution if the attacker can trick the targeted user into processing specially crafted web content — this includes luring them to a malicious site.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
No information is available on the attacks exploiting these zero-day flaws.
Apple revealed in its advisories that these were the vulnerabilities that it patched with its first Rapid Security Response updates, specifically iOS 16.4.1(a), iPadOS 16.4.1(a), and macOS 13.3.1(a).
Now, iOS 16.5 and iPadOS 16.5 fix CVE-2023-28204 and CVE-2023-32373, as well as CVE-2023-32409, a WebKit zero-day that can be exploited to escape the Web Content sandbox.
CVE-2023-32409 was reported to Apple by Google’s Threat Analysis Group and Amnesty International, which indicates that it has likely been exploited by the products of a commercial spyware vendor.
Google recently detailed several iOS and Android exploits that the company has linked to various spyware vendors.
CVE-2023-28204 and CVE-2023-32373 have also been fixed with the release of iOS and iPadOS 15.7.6
The exploited WebKit vulnerabilities have also been resolved in Apple TV, Apple Watch and Safari.
The latest macOS Ventura update fixes the three zero-days, along with nearly 50 other vulnerabilities that can lead to sensitive information disclosure, arbitrary code execution, DoS attacks, a security feature bypass, and privilege escalation.
Apple has also updated macOS Monterey to version 12.6.6 and Big Sur to version 11.7.7 to patch more than two dozen vulnerabilities, but none of the zero-days.
