When you updated your iPhone to iOS 16.3 last month, you got a few new features, including support for the new HomePod, and a dozen security updates. As it turns out, there were actually 15 security updates—Apple just didn’t tell us about three of them until this week.
It’s not clear why Apple didn’t disclose the updates, which were also part of macOS 13.2, until February 20, but Apple says it “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.” Apple also revealed a previously undisclosed security patch in iOS 16.3.1 and macOS 13.2.1 this week.
In two of the updates, an app may be able to execute arbitrary code on your device. Here are the details of the three new fixes:
Crash Reporter
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: A user may be able to read arbitrary files as root
- Description: A race condition was addressed with additional validation.
- CVE-2023-23520: Cees Elzinga
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2023-23530: Austin Emmitt, Senior Security Researcher at Trellix ARC
Foundation
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; macOS Ventura
- Impact: An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges
- Description: The issue was addressed with improved memory handling.
- CVE-2023-23531: Austin Emmitt, Senior Security Researcher at Trellix ARC
If you haven’t updated to iOS 16.3, Apple is no longer signing it, which means you’ll have to update to iOS 16.3.1, which will include the fixes and features from iOS 16.3.