CVE-2023-41990
published 2023-09-12CVE-2023-41990: The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur…
PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
1.15%
62.7th percentile
The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura 13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_15.7.8_and_ipados | — | — |
| apple | ios_16.3_and_ipados | — | — |
| apple | ios_and_ipados | >= unspecified < 16.3 | 16.3 |
| apple | ios_and_ipados | >= unspecified < 15.7 | 15.7 |
| apple | ipados | < 15.7.8 | 15.7.8 |
| apple | ipados | >= 16.0 < 16.3 | 16.3 |
| apple | iphone_os | < 15.7.8 | 15.7.8 |
| apple | iphone_os | >= 16.0 < 16.3 | 16.3 |
| apple | macos | < 11.7.9 | 11.7.9 |
| apple | macos | >= 12.0.0 < 12.6.8 | 12.6.8 |
| apple | macos | >= 13.0 < 13.2 | 13.2 |
| apple | macos | >= unspecified < 11.7 | 11.7 |
| apple | macos | >= unspecified < 13.2 | 13.2 |
| apple | macos | >= unspecified < 12.6 | 12.6 |
| apple | macos_big_sur | — | — |
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| apple | tvos | < 16.3 | 16.3 |
| apple | tvos | — | — |
| apple | tvos | >= unspecified < 16.3 | 16.3 |
| apple | watchos | < 9.3 | 9.3 |
| apple | watchos | — | — |
| apple | watchos | >= unspecified < 9.3 | 9.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-41990 exploits an undocumented Apple-only ADJUST TrueType font instruction delivered as a malicious iMessage attachment; look for FontParser processing anomalies triggered with no user interaction (0-click). ↗
- →Look for modification of empty SMS attachment directories (Library/SMS/Attachments) immediately followed by BackupAgent network activity — this pattern indicates a malicious iMessage attachment was received and then deleted by the attacker. ↗
- →The exploit chain uses NSExpression/NSPredicate query language for multi-stage privilege escalation after initial font RCE; monitor for unusual NSPredicate/NSExpression evaluation in sandboxed contexts. ↗
- →Post-exploitation, the attacker launches IMAgent with an injected payload to clear exploitation artifacts, then spawns an invisible Safari process to load the next stage; monitor for IMAgent spawning unexpected child processes or Safari running in headless/invisible mode. ↗
- →C2 communications from the JavaScript validator use NaCl public-key cryptography (nacl.box) with a randomly generated ephemeral key pair; network traffic to C2 servers will appear as opaque encrypted HTTPS blobs even after TLS interception. ↗
- ·The exploit targets Apple A12–A16 Bionic SoCs specifically; the MMIO register abuse (CVE-2023-38606) uses undocumented GPU coprocessor registers not present in the device tree, meaning firmware-level detection is not feasible via standard tooling. ↗
- ·The attack was designed to work on iOS versions up to iOS 16.2; devices running iOS 15.7.1 and later (before the full patch) may have partial mitigations, but the full chain was patched across tvOS 16.3, iOS 16.3/iPadOS 16.3, macOS Ventura 13.2, and related releases. ↗
- ·iOS implements SSL pinning for Apple services including iMessage, preventing MITM interception of the initial exploit delivery vector even with a trusted root certificate installed on the device. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple Multiple Products Code Execution Vulnerability
cisa·2024-01-08·CVSS 7.8
CVE-2023-41990 [HIGH] Apple Multiple Products Code Execution Vulnerability
Vulnerability: Apple Multiple Products Code Execution Vulnerability
Affected: Apple Multiple Products
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.apple.com/en-us/HT213599, https://support.apple.com/en-us/HT213601, https://support.apple.com/en-us/HT213605, https://support.apple.com/en-us/HT213606, https://support.apple.com/en-us/HT213842, https://support.apple.com/en-us/HT213844, https://support.apple.com/en-us/HT213845 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41990
Remediation Due Date: 2024-01-29
Apple
CVE-2023-41990: iOS 15.7.8 and iPadOS 15.7.8
vendor_apple·2023-07-24·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: iOS 15.7.8 and iPadOS 15.7.8
Apple Security Update: About the security content of iOS 15.7.8 and iPadOS 15.7.8
Product: iOS 15.7.8 and iPadOS
Version: 15.7.8
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
Apple
CVE-2023-41990: macOS Monterey 12.6.8
vendor_apple·2023-07-24·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: macOS Monterey 12.6.8
Apple Security Update: About the security content of macOS Monterey 12.6.8
Product: macOS Monterey
Version: 12.6.8
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
Apple
CVE-2023-41990: macOS Big Sur 11.7.9
vendor_apple·2023-07-24·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: macOS Big Sur 11.7.9
Apple Security Update: About the security content of macOS Big Sur 11.7.9
Product: macOS Big Sur
Version: 11.7.9
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
Apple
CVE-2023-41990: tvOS 16.3
vendor_apple·2023-01-24·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: tvOS 16.3
Apple Security Update: About the security content of tvOS 16.3
Product: tvOS
Version: 16.3
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
Apple
CVE-2023-41990: macOS Ventura 13.2
vendor_apple·2023-01-23·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: macOS Ventura 13.2
Apple Security Update: About the security content of macOS Ventura 13.2
Product: macOS Ventura
Version: 13.2
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
Apple
CVE-2023-41990: watchOS 9.3
vendor_apple·2023-01-23·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: watchOS 9.3
Apple Security Update: About the security content of watchOS 9.3
Product: watchOS
Version: 9.3
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
Apple
CVE-2023-41990: iOS 16.3 and iPadOS 16.3
vendor_apple·2023-01-23·CVSS 7.8
CVE-2023-41990 [HIGH] CVE-2023-41990: iOS 16.3 and iPadOS 16.3
Apple Security Update: About the security content of iOS 16.3 and iPadOS 16.3
Product: iOS 16.3 and iPadOS
Version: 16.3
CVE: CVE-2023-41990
Component: FontParser
Impact: Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
Description: The issue was addressed with improved handling of caches.
GHSA
GHSA-pc7v-gfwg-hjx7: The issue was addressed with improved handling of caches
ghsa_unreviewed·2023-09-12
CVE-2023-41990 [HIGH] GHSA-pc7v-gfwg-hjx7: The issue was addressed with improved handling of caches
The issue was addressed with improved handling of caches. This issue is fixed in macOS Ventura 13.2, iOS 15.7.8 and iPadOS 15.7.8, watchOS 9.3, tvOS 16.3, iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.9, macOS Monterey 12.6.8. Processing a font file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
VulnCheck
Apple Multiple Products Code Execution Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-41990 [HIGH] Apple Multiple Products Code Execution Vulnerability
Apple Multiple Products Code Execution Vulnerability
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.
Affected: Apple Multiple Products
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://support.apple.com/kb/HT213599; https://support.apple.com/kb/HT213605; https://support.apple.com/kb/HT213606; https://support.apple.com/kb/HT213601; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT213842; https://support.apple.com/kb/HT213844; https://support.apple.com/kb/HT213845; https://securelist.com/operation-triangulation-the-last
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA warns agencies of fourth flaw used in Triangulation spyware attacks
blogs_bleepingcomputer·2024-01-09·CVSS 5.3
[MEDIUM] CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla.
The Known Exploited Vulnerabilities catalog, or KEV for short, contains security issues that have been actively exploited in the wild. It is a valuable resource for organizations across the globe in the vulnerability management and prioritization process.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." reads CISA's notice .
CISA has given federal agencies until January 29 to patch the six actively
Sentinelone
Protecting macOS | 7 Strategies for Enterprise Security in 2024
blogs_sentinelone·2024-01-02
Protecting macOS | 7 Strategies for Enterprise Security in 2024
Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.
In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts .
## 1. Don’t Rely on Persistence for Detection
Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much
Sentinelone
Protecting macOS | 7 Strategies for Enterprise Security in 2024
blogs_sentinelone·2024-01-02
Protecting macOS | 7 Strategies for Enterprise Security in 2024
Welcome to 2024! It may be a new year for us all, but it’s very much business as usual for cybersecurity professionals. Last year saw an increase in the number and variety of new threats targeting the macOS platform, and as the influence of the Mac continues to expand in enterprise environments, there is little doubt that 2024 will continue that trend.
In this post, we reflect on the lessons we can learn from the last 12 months of threat activity against Apple’s desktop operating system, and offer 7 strategies for defenders to help bolster their threat hunting, detection and mitigation efforts.
## 1. Don’t Rely on Persistence for Detection
Perhaps the most important lesson that defenders learned from 2023’s crop of macOS malware was that monitoring for persistence methods became a much
Bleepingcomputer
The biggest cybersecurity and cyberattack stories of 2023
blogs_bleepingcomputer·2024-01-01
The biggest cybersecurity and cyberattack stories of 2023
## The biggest cybersecurity and cyberattack stories of 2023
## Lawrence Abrams
2023 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities.
Some stories, though, were more impactful or popular with our 22 million readers than others.
Below are fourteen of what BleepingComputer believes are the most impactful cybersecurity stories of 2023, with a summary of each.
## 14. The 23andMe data breach
Genetic testing provider 23andMe suffered credential stuffing attacks that led to a major data breach, exposing the data of 6.9 million users.
The company states that the attackers only breached a small number of accounts during the credential-stuffing attacks. However, the threat actors were able to
Securelist
Operation Triangulation: The last (hardware) mystery
blogs_securelist·2023-12-27·CVSS 5.5
CVE-2023-38606 [MEDIUM] Operation Triangulation: The last (hardware) mystery
Table of Contents
Operation Triangulation’ attack chain
The mystery and the CVE-2023-38606 vulnerability
Technical details
Conclusion
Update 2024-01-09
Authors
Boris Larin
UPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT&CK framework.
Today, on December 27, 2023, we ( Boris Larin , Leonid Bezvershenko , and Georgy Kucherin ) delivered a presentation, titled, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg. The presentation summarized the results of our long-term research into Operation Triangulation, conducted with our colleagues, Igor Kuznetsov , Valentin Pashkov , and Mikhail Vinogradov .
This presentation was also the first time we had
Securelist
Operation Triangulation: The last (hardware) mystery
blogs_securelist·2023-12-27·CVSS 5.5
CVE-2023-38606 [MEDIUM] Operation Triangulation: The last (hardware) mystery
Table of Contents
- Operation Triangulation’ attack chain
- The mystery and the CVE-2023-38606 vulnerability
- Technical details
- Conclusion
- Update 2024-01-09
Authors
- Boris Larin
UPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT&CK framework.
Today, on December 27, 2023, we (Boris Larin, Leonid Bezvershenko, and Georgy Kucherin) delivered a presentation, titled, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg. The presentation summarized the results of our long-term research into Operation Triangulation, conducted with our colleagues, Igor Kuznetsov, Valentin Pashkov, and Mikhail Vinogradov.
This presentation was also the first time we h
Securelist
How Kaspersky obtained all stages of Operation Triangulation
blogs_securelist·2023-10-26
How Kaspersky obtained all stages of Operation Triangulation
Table of Contents
- First steps
- Device imaging
- Examining backups
- Trying to intercept the malicious iMessage
- Good old MITM
- Catching the JavaScript validator
- The binary validator and the hint about the attachment
- Exploring iMessage
- Getting the implant
- Obtaining the modules
- Conclusion
Authors
- Leonid Bezvershenko
- Georgy Kucherin
- Igor Kuznetsov
- Boris Larin
- Valentin Pashkov
UPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT&CK framework.
In the beginning of 2023, thanks to our Kaspersky Unified Monitoring and Analysis Platform (KUMA) SIEM system, we noticed suspicious network activity that turned out to be an ongoing attack targeting the iPhones and iPads of our colleagues. The moment we understood that there was a clear patter
https://support.apple.com/en-us/HT213599https://support.apple.com/en-us/HT213601https://support.apple.com/en-us/HT213605https://support.apple.com/en-us/HT213606https://support.apple.com/en-us/HT213842https://support.apple.com/en-us/HT213844https://support.apple.com/en-us/HT213845https://support.apple.com/en-us/HT213599https://support.apple.com/en-us/HT213601https://support.apple.com/en-us/HT213605https://support.apple.com/en-us/HT213606https://support.apple.com/en-us/HT213842https://support.apple.com/en-us/HT213844https://support.apple.com/en-us/HT213845https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41990
2023-09-12
Published
2024-01-08
Added to CISA KEV
Exploited in the wild