Apple rolled out security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to resolve multiple security flaws, including numerous high-risk vulnerabilities affecting AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit that can result in remote code execution.
Additionally, the iPhone maker backported fixes for two recently disclosed zero-days (CVE-2023-42916 and CVE-2023-42917) to older devices. Both bugs affect the WebKit web browser engine.
CVE-2023-42916 is an out-of-bounds read issue that could be exploited for arbitrary code execution when processing web content. The second vulnerability (CVE-2023-42917) is a buffer overflow issue that could result in arbitrary code execution when processing HTML content.
Apple said that CVE-2023-42916 and CVE-2023-42917 were already exploited against versions of iOS before iOS 16.7.1.
One of the most notable vulnerabilities patched with the latest security updates is CVE-2023-45866, a weakness in Bluetooth implementation that can be used by a remote attacker with physical proximity to the device to inject keystrokes by spoofing a keyboard and execute arbitrary commands on the system. The issue was reported by SkySafe security engineer Marc Newlin last week.
According to Newlin, the bug allows attackers to connect to Apple, Android and Linux devices and the exploit could be executed from a Linux machine using a standard Bluetooth adapter, without the need for any special hardware.