- 215/2023
- High
Apple has released security updates to address multiple vulnerabilities across multiple products.
The addressed vulnerabilities could allow the attacker to obtain sensitive information, perform cross-site scripting attacks, execute arbitrary code, and gain access to the affected products by persuading the victim to open a specially crafted image, attachment, or application.
Sample of the addressed vulnerabilities:
1. Apple macOS Ventura Buffer Overflow Vulnerability (CVE-2023-41064):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
2. Apple macOS Ventura Cross-Site Scripting Vulnerability (CVE-2023-40397):
- CVSS: 6.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
It should be highlighted that security researchers have discovered that there are two zero-day vulnerabilities (CVE-2023-41061, and CVE-2023-41064) that are actively exploited in the wild as a part of zero-click exploit chain to deploy NSO Group’s Pegasus commercial spyware.
Vulnerabilities
- CVE-2023-41061
- CVE-2023-41064
- CVE-2023-38616
- CVE-2023-40392
- CVE-2023-28200
- CVE-2023-29491
- CVE-2023-38605
- CVE-2023-40397
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.