Security News > 2023 > October > Apple news: iLeakage attack, MAC address leakage bug

Apple news: iLeakage attack, MAC address leakage bug
2023-10-27 09:17

On Wednesday, Apple released security updates for all supported branches of iOS and iPadOS, macOS, tvOS, watchOS and Safari.

Another vulnerability of note fixed this Wednesday with the release of iOS 17.1 and iPadOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1 and watchOS 10.1 is CVE-2023-42846, a bug that made a privacy-enhancing feature not work as intended.

"Ever since it was introduced [in iOS 14], the feature was completely useless. While iOS replaces the device's real MAC address in the data link layer with a generated address per network, it includes the real MAC address in the AirPlay discovery requests that an iPhone starts sending when it joins a network," the researchers explained.

A group of researchers has developed a side-channel attack exploiting Apple A-series or M-series CPUs' speculative execution capability to extract sensitive information when a Safari user lands on a specially crafted webpage.

The attack can also be leveraged against Chrome, Firefox and Edge users on iOS, since they use Safari's JavaScript engine.

The researchers pointed out that the attack is "Significantly difficult" to orchestrate end-to-end and that they currently do not have evidence that iLeakage has been abused by attackers.


News URL

https://www.helpnetsecurity.com/2023/10/27/ileakage-attack-mac-address-leakage/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-25 CVE-2023-42846 Unspecified vulnerability in Apple products
This issue was addressed by removing the vulnerable code.
network
low complexity
apple
5.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349