-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7
iOS 16.7 and iPadOS 16.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213927. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Additional CVE entries coming soon. Kernel Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. Description: The issue was addressed with improved checks. CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group Security Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. Description: A certificate validation issue was addressed. CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group WebKit Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. Description: The issue was addressed with improved checks. WebKit Bugzilla: 261544 CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group Additional recognition Kernel We would like to acknowledge Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for their assistance. This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 16.7 and iPadOS 16.7". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+MACgkQX+5d1TXa IvqDVA//ViOiBbSSAlFO6+SkMIWoXJvV+5lQktWubXwtiDkC2gXrxFazBMrGOmzz 1ELGkLVPGbgPR0nt5C2VrmFWEQ6U4HGf8K1RTIniqqSVHuVZeoQ8JGobIEItgj0/ NYws3BtdZKaYJtW9imdMBgjk9pFsqYvw14yNxxScaUz1zmOjdbslQSkYIMqYp5Er 2ION56ZLVvTfNs70RsZ3k/8S+2FFR1UQR0kfXrGZg7vmeaEw0XPW7NZGjLDiDTxW /Ro2lfl/7jLMH7gy5IeHTJw0TsZZlkCgQ0EllJ3UPuptpr9EiNgs26bJLGjv8Hjl 1Mp1/uzkPhdNLcN8UghgCrQNHuMb9P69DcHahOAuACCPWO09eoQay2+ZmMR+Ec7H KUmVEnjCJ7I4crIY93c8zXdkrFp06kwcLOUo7JzVy7WWAn302wGKnNW1G/q7FXNS bGnWs/mQMWXfB3eeLT7atU39RmCQgLNopfQuJfgImTYiSYhVB1xBt0sKnP9OfT2R KlWO4+7Igs9UzcNkbNnDjkJGGtZuQNG1njUHDRaePpC8YnesQ5Xo3mUAdEKKDjfs vgvy/xZXLggpwj1Vo5RrRsceiWEjjffCsRJaBEx/R03dv4JUkm3VT/dRFWEntroG Z+lvhgKjvKUszZ9/ztER3Yfw9FvptRwznshof/KYt+IKAVwnQOQ= =oY3a -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/