Headline
Apple Security Advisory 2023-03-27-8
Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2023-03-27-8 Safari 16.4
Safari 16.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213671.
WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: This issue was addressed with improved state management.
WebKit Bugzilla: 248615
CVE-2023-27932: an anonymous researcher
WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
WebKit Bugzilla: 250837
CVE-2023-27954: an anonymous researcher
Additional recognition
CFNetwork
We would like to acknowledge an anonymous researcher for their
assistance.
WebKit
We would like to acknowledge an anonymous researcher for their
assistance.
WebKit Web Inspector
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer
(@pwning_me) of SSD Labs for their assistance.
Safari 16.4 may be obtained from the Mac App Store.
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn4ACgkQ4RjMIDke
NxnzuA//R6r9YrqrgdWro+Why6ihvWKdVIBgEVu93nNfgd34+HLkRKsr00xH0hNw
kDvjtfPpCeuQB61VtVO6dCEPHLJICqEyOeqHoIDYvKwAoH830u3S4vWA6ozJpBmd
CCI+5tF9qAZWb+O0ED+hyU31z/+0s+gTGUjp7dhAnKJ6jKQOjSwWG4+YEgJA6wGG
oOC8dXGTWMHQJsDyxliGC/FQVo6cyWtbZiwWB9QYKP48yIldrRWJz75xOUWYOjWe
GYZ+vNDaOIi+/YHRHRYf/RY7Fdigur5rsWtzK/0v1T/n3t2kwe6WZkF4HdKFHRXL
KSw1fogSQh1BncUXlVfkn3BMPoEOUxHkhtawdKkewK+W8ZTC2mq+YwrJ26YZMTmU
5Nvgua4gxm2gb8LupcaXxt+o/nIbbTWyNx6rEyskWMxw6jZksBwgdDk2pSrUtmWh
d2VnkbUjoLXbP7uqSrf2gqd6drAVrHUlmEHLVAXCG60mhWNzCxr2M+DG2RZ0RLgJ
DMy2O4zxdzWZxkRJE86LchYz8zToQD7eQXm3zMQTGdSZoJXr3NxVGwdCaCGdhGAA
ckJV7nHybrVGQXdo5EeNuxKeiyJMimGGIDpQmHrrf+PgeL7zKi9e4KwyyobAmvZn
lw86QALA/97AKbSQthqHlDnv+inUrdwH1TWcurtCkjeRHgkhif8=
=o24C
-----END PGP SIGNATURE-----
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
The issue was addressed with improved checks. This issue is fixed in iOS 16.4 and iPadOS 16.4. An app may be able to unexpectedly create a bookmark on the Home Screen
A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data
The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, tvOS 16.4, watchOS 9.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privileges
This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution
Ubuntu Security Notice 6061-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.