-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2023-03-27-1 iOS 16.4 and iPadOS 16.4

iOS 16.4 and iPadOS 16.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213676.

Accessibility
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access information about a user’s
contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23541: Csaba Fitzl (@theevilbit) of Offensive Security

Apple Neural Engine
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23540: Mohamed GHANNAM (@_simo36)
CVE-2023-27959: Mohamed GHANNAM (@_simo36)

Apple Neural Engine
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2023-27970: Mohamed GHANNAM

Apple Neural Engine
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved checks.
CVE-2023-23532: Mohamed Ghannam (@_simo36)

AppleMobileFileIntegrity
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch1t)

AppleMobileFileIntegrity
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable
code.
CVE-2023-27931: Mickey Jin (@patch1t)

Calendar
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Importing a maliciously crafted calendar invitation may
exfiltrate user information
Description: Multiple validation issues were addressed with improved
input sanitization.
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

Camera
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A sandboxed app may be able to determine which app is
currently using the camera
Description: The issue was addressed with additional restrictions on
the observability of app states.
CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

CarPlay
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A user in a privileged network position may be able to cause
a denial-of-service
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2023-23494: Itay Iellin of General Motors Product Cyber Security

ColorSync
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to read arbitrary files
Description: The issue was addressed with improved checks.
CVE-2023-27955: JeongOhKyea

Core Bluetooth
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Processing a maliciously crafted Bluetooth packet may result
in disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2023-23528: Jianjun Dai and Guang Gong of 360 Vulnerability
Research Institute

CoreCapture
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-28181: Tingting Yin of Tsinghua University

Find My
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-23537: an anonymous researcher

FontParser
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang of Baidu Security

Foundation
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Parsing a maliciously crafted plist may lead to an unexpected
app termination or arbitrary code execution
Description: An integer overflow was addressed with improved input
validation.
CVE-2023-27937: an anonymous researcher

iCloud
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A file from an iCloud shared-by-me folder may be able to
bypass Gatekeeper
Description: This was addressed with additional checks by Gatekeeper
on files downloaded from an iCloud shared-by-me folder.
CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

Identity Services
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access information about a user’s
contacts
Description: A privacy issue was addressed with improved private data
redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki

ImageIO
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Processing a maliciously crafted image may result in
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz
Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

Kernel
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2023-27969: Adam Doupé of ASU SEFCOM

Kernel
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app with root privileges may be able to execute arbitrary
code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-27933: sqrtpwn

LaunchServices
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Files downloaded from the internet may not have the
quarantine flag applied
Description: This issue was addressed with improved checks.
CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk,
and Arthur Valiev

LaunchServices
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to gain root privileges
Description: This issue was addressed with improved checks.
CVE-2023-23525: Mickey Jin (@patch1t)

NetworkExtension
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A user in a privileged network position may be able to spoof
a VPN server that is configured with EAP-only authentication on a
device
Description: The issue was addressed with improved authentication.
CVE-2023-28182: Zhuowei Zhang

Photos
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Photos belonging to the Hidden Photos Album could be viewed
without authentication through Visual Lookup
Description: A logic issue was addressed with improved restrictions.
CVE-2023-23523: developStorm

Podcasts
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-27942: Mickey Jin (@patch1t)

Safari
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to unexpectedly create a bookmark on the
Home Screen
Description: The issue was addressed with improved checks.
CVE-2023-28194: Anton Spivak

Sandbox
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to bypass Privacy preferences
Description: A logic issue was addressed with improved validation.
CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

Shortcuts
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A shortcut may be able to use sensitive data with certain
actions without prompting the user
Description: The issue was addressed with additional permissions
checks.
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and
Wenchao Li and Xiaolong Bai of Alibaba Group

TCC
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable
code.
CVE-2023-27931: Mickey Jin (@patch1t)

WebKit
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: This issue was addressed with improved state management.
WebKit Bugzilla: 248615
CVE-2023-27932: an anonymous researcher

WebKit
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
WebKit Bugzilla: 250837
CVE-2023-27954: an anonymous researcher

Additional recognition

Activation Lock
We would like to acknowledge Christian Mina for their assistance.

CFNetwork
We would like to acknowledge an anonymous researcher for their
assistance.

CoreServices
We would like to acknowledge Mickey Jin (@patch1t) for their
assistance.

file_cmds
We would like to acknowledge Lukas Zronek for their assistance.

Heimdal
We would like to acknowledge Evgeny Legerov of Intevydis for their
assistance.

ImageIO
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their
assistance.

Mail
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster
University of Applied Sciences, Damian Poddebniak of FH Münster
University of Applied Sciences, Tobias Kappert of Münster University
of Applied Sciences, Christoph Saatjohann of Münster University of
Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz
Center for Information Security for their assistance.

Safari Downloads
We would like to acknowledge Andrew Gonzalez for their assistance.

Status Bar
We would like to acknowledge Nikita, jiaxu li for their assistance.

Telephony
We would like to acknowledge CheolJun Park of KAIST SysSec Lab for
their assistance.

WebKit
We would like to acknowledge an anonymous researcher for their
assistance.

WebKit Web Inspector
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer
(@pwning_me) of SSD Labs for their assistance.

This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from https://www.apple.com/itunes/  iTunes and Software Update on the
device will automatically check Apple's update server on its weekly
schedule. When an update is detected, it is downloaded and the option
to be installed is presented to the user when the iOS device is
docked. We recommend applying the update immediately if possible.
Selecting Don't Install will present the option the next time you
connect your iOS device.  The automatic update process may take up to
a week depending on the day that iTunes or the device checks for
updates. You may manually obtain the update via the Check for Updates
button within iTunes, or the Software Update on your device.  To
check that the iPhone, iPod touch, or iPad has been updated:  *
Navigate to Settings * Select General * Select About. The version
after applying this update will be "iOS 16.4 and iPadOS 16.4".
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnoACgkQ4RjMIDke
NxnKvw/9F+O7dFUXenxSNCZBOJlmdHPDKJV1yHScjk6+janth/ynRBX8VycY9ctv
0KaLh07xWtdTtbtZbLq1sS0QONp2so3T1iIFkGjr8YUA6BKekRNXht89vhxIhT8m
fiWJyHQDturO8e4wjbb5fnQLRoWY+aKIVLkSy+r1N6ruJkFpKNosOZarU7YJ17OZ
KriLwnb9lh8grkk+r49vzrCMprt2fHxZl2VshktStCIwwg5r8GbNiZQLYBuHIQQS
q3I3qtfvvjO9dEIAO8wuRJZgnri7jkjzMqUawzTdhhWsLZjlXfC8iP8ryk8Y7S1s
0CEXo9AgWJls+F58CARUizj1I6ptmTHrj238nZhDEgSDVCWUVh+fLmsP7rzK8bGY
rp01BqoQiZfNlXvjiiR80KeZ+KN8yMqNl6p72bjWUq1uG8Bdg9Wbgfrv1Yp9EwE7
30gh8sZn56QOm/8vKRkbT4PktwqCY98WMq39xujWT2H4R+RRPPpfN92eTAzFkMbB
tQrB31OAyaYO+S0t//GNUIASYo55uhcpuc87TbBwm5aeOsoxcW1skdWh8ve2Mtq6
3Lp7xIVqDlxdXHevAm6HFInaS0K/22pteYTviOxSNwJxJocZlPHKnYnzWvjesJ1L
t+bAGOfxd2hObZ4N4EqBaw/j78yBsFvnCgrmJoB8Litwj2cwxNo=
=f9ow
-----END PGP SIGNATURE-----