CVE-2023-32407

Vulnerability

CVE-2023-32407 is a logic issue in the Privacy preferences subsystem of Apple operating systems. The vulnerability allows an app to bypass user-configured privacy settings, potentially accessing protected data without authorization. The issue was present in watchOS prior to 9.5, tvOS prior to 16.5, macOS Ventura prior to 13.4, iOS and iPadOS prior to 15.7.6 and 16.5, macOS Big Sur prior to 11.7.7, and macOS Monterey prior to 12.6.6 [1][2][3][4].

Exploitation

An attacker would need to convince a user to install a malicious app on the affected device. No additional authentication or special network position is required beyond the ability to execute the app. The attack can be carried out by the app itself without user interaction beyond installation [1][2].

Impact

A malicious app can bypass Privacy preferences, potentially accessing sensitive user data such as contacts, photos, location, or other information protected by the system's privacy controls. The compromise occurs at the app level, not gaining higher system privileges, but effectively ignoring user-granted permissions [1][2].

Mitigation

Apple released patches for all affected OS versions on May 18, 2023: watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5 [1][2][3][4]. Users should update to the latest available OS version to mitigate this vulnerability.