Apple released iOS 16.3 last month, and when you updated to it, there were several new features along for the ride, as well as several security updates. While 12 of the security fixes were revealed alongside the release of the update, Apple waited until Monday to reveal three more updates.
While it is not clear why Apple didn’t disclose the security fixes (which were also included in the macOS 13.2 update) at the time of the update but Apple says it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”
The details of the three new fixes are as follows:
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: A user may be able to read arbitrary files as root
Description: A race condition was addressed with additional validation.
CVE-2023-23520: Cees Elzinga
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC
Apple also revealed a previously unreported security patch in iOS 16.3.1 and macOS 13.2.1 this week.
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later.
Impact: Processing a maliciously crafted certificate may lead to a denial-of-service
Description: A denial-of-service issue was addressed with improved input validation.
CVE-2023-23524: David Benjamin of Google Chrome
While Apple is no longer signing iOS 16.3, iOS 16.3.1 is available and it includes the fixes and features from iOS 16.3.