Apple released iOS 16.3 last month, and when you updated to it, there were several new features along for the ride, as well as several security updates. While 12 of the security fixes were revealed alongside the release of the update, Apple waited until Monday to reveal three more updates.
While it is not clear why Apple didn’t disclose the security fixes (which were also included in the macOS 13.2 update) at the time of the update but Apple says it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”
iOS 16.3 and macOS 13.2 Security Updates
The details of the three new fixes are as follows:
Crash Reporter
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: A user may be able to read arbitrary files as root
Description: A race condition was addressed with additional validation.
CVE-2023-23520: Cees Elzinga
Foundation
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC
Foundation
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC
Other Security Patches
Apple also revealed a previously unreported security patch in iOS 16.3.1 and macOS 13.2.1 this week.
Security
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later.
Impact: Processing a maliciously crafted certificate may lead to a denial-of-service
Description: A denial-of-service issue was addressed with improved input validation.
CVE-2023-23524: David Benjamin of Google Chrome
While Apple is no longer signing iOS 16.3, iOS 16.3.1 is available and it includes the fixes and features from iOS 16.3.
