In its new vulnerability note, CERT-In is reporting multiple vulnerabilities in Apple iOS and iPadOS. These vulnerabilities could allow an attacker to execute arbitrary code, bypass security restrictions, elevated privileges, gain access to sensitive information or cause denial-of-service conditions on the targeted system.
According to CERT-In, these vulnerabilities exist in Apple iOS and iPadOS due to the following technical reasons:
“Type confusion, use-after-free flaw, permission issue and race condition in the Kernel component ; out-of-bounds read, use-after-free flaw and buffer overflow in the WebKit component; logic issue in the LaunchServices component; out-of-bounds read flaw in the IOSurfaceAccelerator; authorization issue in the Sandbox component; out-of-bounds read flaw in the Model I/O component; out-of-bounds read flaw in the ImageIO component; improper bounds checking by the ImageIO component; improper permission flaw in the Accessibility component; logic flaw in the Metal component; improper handling of caches in the TV App component; use-after-free flaw in the Telephony component; out-ofbounds read flaw in the IOSurfaceAccelerator; logic issue in the Shell component; out-of-bounds read flaw in the IOSurface component; flaw in the CoreServices component , System Settings , Photos , Security component , Associated Domains , StorageKit , PDFKit , Accessibility , Wi-Fi component , Photos , Shortcuts , GeoServices , Core Location, NetworkExtension, WebKit component , AppleMobileFileIntegrity, Weather component , Cellular, Apple Neural Engine , CoreCapture comment and SQLit Component.”
These vulnerabilities could be exploited by any remote hacker by persuading a victim to visit a maliciously crafted web content. The successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security restrictions, elevated privileges, and gain access to sensitive information or cause denial-of-service conditions on the targeted system. Categorised as CVE-2023-28204 , CVE-2023-32373 and CVE-2023-32409, these vulnerabilities are already being exploited. The solution is to apply appropriate software updates as mentioned in the Apple Security updates:CERT-IN or ICERT ( Indian Computer Emergency Response Team) is Government of India’s nodal agency to deal with cyber security threats like hacking and phishing. The organisation is an office within the Ministry of Electronics and Information Technology (MeitY), and its focus is on strengthening the security of India’s Internet system.