Important Notice: Security Vulnerabilities of Apple
重要通知 : 關於 Apple 產品的安全漏洞通告
資訊安全警示 Information Security Alert
To: All Users
As informed by the Cybersecurity Incident Alert and Response Centre (CARIC), Apple have recently issued several security vulnerability update notices, among which Apple Webkit Arbitrary Code Execution Vulnerability (CVE-2023-23529) is a zero-day vulnerability. There are signs that the related vulnerabilities have been exploited recently. Please arrange backup and install updates as soon as possible if you are using the above affected products.
Related vulnerabilities
Apple Webkit Arbitrary Code Execution Vulnerability (CVE-2023-23529)
Due to the type confusion error in Apple Webkit, this vulnerability allows an unauthenticated remote attacker to trick the victim to visit its specially crafted malicious website, which causes Webkit to trigger a type confusion error when processing the web content, and finally execute arbitrary code on the target system. In addition, attackers can combine CVE-2023-23529 and CVE-2023-23514 to escalate privileges and escape the Safari sandbox.
Affected Products
- Apple iOS < 16.3.1, iPadOS < 16.3.1, Apple macOS Ventura < 13.2.1
- Apple watchOS < 9.3.1, Apple tvOS < 16.3.2, Apple Safari < 16.3.1
For more details, please refer to:
Mitigation
If the above-mentioned affected products are being used, please
- arrange testing and install security updates released by Apple as soon as possible;
- pay attention to backup work before updating.
Reference
- How to download and install software in a secure manner?
- Basic Knowledge of Online Safety and Security
- Other Information Security Tips
Should you have any enquiries, please feel free to contact ICTO Help Desk.
ICTO Help Desk
Location : Room 2085, 2/F, Central Teaching Building (E5), eMap
Telephone : 8822 8600
email : icto.helpdesk@um.edu.mo
Information and Communication Technology Office
各位用戶:
資訊及通訊科技部接獲網絡安全事故預警及應急中心的通知,蘋果(Apple)公司近日發佈多個漏洞的安全更新通知,其中Apple Webkit任意程式碼執行漏洞(CVE-2023-23529)是零日漏洞,相關漏洞可能已被開發利用。倘有使用上述受影響產品,請儘快安排備份並安裝更新。
相關漏洞詳情
Apple Webkit任意程式碼執行漏洞(CVE-2023-23529)
由於Apple Webkit存在類型混淆錯誤弱點,該漏洞允許未經身份認證的遠程攻擊者誘騙受害者訪問其特製的惡意網站,導致Webkit處理網頁内容時觸發類型混淆錯誤,最終在目標系統上執行任意程式碼;此外,攻擊者可組合利用CVE-2023-23529和CVE-2023-23514提升權限並逃逸Safari沙箱。
受影響版本為
- Apple iOS < 16.3.1, iPadOS < 16.3.1, Apple macOS Ventura < 13.2.1
- Apple watchOS < 9.3.1, Apple tvOS < 16.3.2, Apple Safari < 16.3.1
有關詳情可參考:
處置要求
倘有使用上述受影響產品,須:
- 儘快安排測試並安裝由蘋果公司釋出的安全更新;
- 更新前注意備份工作。
參考資料
如有任何疑問,請聯絡資訊及通訊科技部服務中心。
服 務 中 心
位置 : 中央教學樓東5座(E5)二樓2085室 (電子地圖)
電話 : 8822 8600
電郵 : icto.helpdesk@um.edu.mo
資訊及通訊科技部