Apple Security Advisory 01-22-2024-2

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3iOS 17.3 and iPadOS 17.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214059.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone XS and later,iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 8thgeneration and later, and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecurityCoreCryptoAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5ciphertexts without having the private keyDescription: A timing side-channel issue was addressed with improvementsto constant-time computation in cryptographic functions.CVE-2024-23218: Clemens LangKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team ofLegendsec at QI-ANXIN GroupMail SearchAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), andIan de MarcellusNSSpellCheckerAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved handling offiles.CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Reset ServicesAvailable for: iPhone XS and laterImpact: Stolen Device Protection may be unexpectedly disabledDescription: The issue was addressed with improved authentication.CVE-2024-23219: Peter Watthey and Christian ScaleseSafariAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A shortcut may be able to use sensitive data with certainactions without prompting the userDescription: The issue was addressed with additional permissions checks.CVE-2024-23203: an anonymous researcherCVE-2024-23204: Jubaer Alnazi (@h33tjubaer)ShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to bypass certain Privacy preferencesDescription: A privacy issue was addressed with improved handling oftemporary files.CVE-2024-23217: Kirin (@Pwnrin)TCCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: An issue was addressed with improved handling of temporaryfiles.CVE-2024-23215: Zhongquan Li (@Guluisacat)Time ZoneAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to view a user's phone number in system logsDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.3 and iPadOS 17.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDP8ACgkQX+5d1TXaIvp1NA//Ziu4pKJd/OIbEjiPfVw8w/q2A4uPkHzOtxWWeSsuQHmUjULi9PGLtjFdOy6SGjIAXKkP5wpt2qoOXcqEwP8kQzMQZwmRSHyPbSNXLyDiThgLdFWOqV5GcO1+eM7vOvKfcf7ITJJashPS4gJet7QpqX0vM5Pop9XJlS679IdhnauCY/ocmoWafvayY7IZf6SXYXh/V6wWk76zW7ZAgdWz0qxPjoObc3UrggJagBuBGzbSbEj1aK+tw8GMKw0whSG1fMqoLWsIielGaAahHmyIrg424S3HK/JdAXU8QXKKUc3HYVyShceLIgf7Gn/RFtIFiqoAlublgbEXthPYVG+pwFMvjUiCFPZK4tQ9yDtst+6ViPT+LK8Ea21ZqwvWTYqcFzKVbc+DcA4W0sLZE9Rc3tMXm60qoy5x1T4tIOFGSotrjH0M8CthxaxSMxRusr4ejiczr5dbeq/4pjU5PevU/kZVIp0lA65WkznSqio/UxpJ9uD2Oh2C8ZKOHE/az3I3zD7Tll52RPWA201fvo9Q3bCL5JRd/ayXN+tVRuyACkLPcDgPMNB8TdjoBrzFvJ8KRg9XHn9qJSsz/h15UJ/lwVOKBHmSP3H+VWBR/ts0oKcj+UQGmNSHtWNXvreC6ZbQi16JSK2wp0MvVWbFrWnwg0Ory4e5x5hHbrBEvvw0Qwk==kOJs-----END PGP SIGNATURE-----