https://www.zdnet.com/article/its-time-to-update-all-of-your-apple-devices-again-heres-why/
It's time to update all of your Apple devices again based on new bugs found
by many independent security researchers.

Apple just released iOS 16.4 with over 30 security fixes iPhone, alongside
updates for Mac, iPad and more.

Today Apple released iOS 16.4, iPadOS 16.4, MacOS 13.3, WatchOS 9.4, tvOS
16.4, and HomePod software version 16.4.
Perhaps most importantly, there's a long list of security fixes included in
Monday's updates.
Apple's security site was updated shortly after the new software was
released, detailing over 30 security issues that were fixed for the iPhone
and iPad alone.

https://www.macworld.com/article/1481562/ios-16-4-release-features-emoji-install.html
iOS 16.4 includes more than 30 security updates, including several that
could be deemed high-risk, all found by independent security researchers.

Among the flaws patched:
Calendar
Impact: Importing a maliciously crafted calendar invitation may exfiltrate
user information
Description: Multiple validation issues were addressed with improved input
sanitization.
CVE-2023-27961: R�za Sabuncu (@rizasabuncu)

Find My
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23537: an anonymous researcher

WebKit
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
CVE-2023-27954: an anonymous researcher

https://support.apple.com/en-us/HT213673
About the security content of iOS 15.7.4 and iPadOS 15.7.4
Released March 27, 2023

Accessibility
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: An app may be able to access information about a user's contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23541: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Importing a maliciously crafted calendar invitation may exfiltrate
user information
Description: Multiple validation issues were addressed with improved input
sanitization.
CVE-2023-27961: Riza Sabuncu (@rizasabuncu)

Camera
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: A sandboxed app may be able to determine which app is currently
using the camera
Description: The issue was addressed with additional restrictions on the
observability of app states.
CVE-2023-23543: Yigit Can YILMAZ (@yilmazcanyigit)

CommCenter
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: An app may be able to cause unexpected system termination or write
kernel memory
Description: An out-of-bounds write issue was addressed with improved input
validation.
CVE-2023-27936: Tingting Yin of Tsinghua University

Find My
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23537: an anonymous researcher

FontParser
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing a maliciously crafted image may result in disclosure of
process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang of Baidu Security

Identity Services
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: An app may be able to access information about a user's contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing a maliciously crafted image may result in disclosure of
process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki

Kernel
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: An app may be able to disclose kernel memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2023-27941: Arsenii Kostromin (0x3c3e)

Kernel
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory
management.
CVE-2023-27969: Adam Doupe of ASU SEFCOM

Model I/O
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing a maliciously crafted file may lead to unexpected app
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2023-27949: Mickey Jin (@patch1t)

NetworkExtension
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: A user in a privileged network position may be able to spoof a VPN
server that is configured with EAP-only authentication on a device
Description: The issue was addressed with improved authentication.
CVE-2023-28182: Zhuowei Zhang

Shortcuts
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: A shortcut may be able to use sensitive data with certain actions
without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao
Li and Xiaolong Bai of Alibaba Group

WebKit
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
WebKit Bugzilla: 250837
CVE-2023-27954: an anonymous researcher

WebKit
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch
(7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
actively exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 251944
CVE-2023-23529: an anonymous researcher