CVE-2023-35990 is a privacy vulnerability affecting Apple’s iOS, iPadOS, watchOS, and macOS platforms, where a malicious application can determine which other applications are installed on a user’s device. This capability arises from insufficient authorization checks that allow an app to enumerate installed apps, violating user privacy by exposing potentially sensitive information about user habits, preferences, and installed software. The vulnerability is classified under CWE-863 (Improper Authorization), indicating that the affected platforms failed to properly restrict access to this information. Apple has addressed the issue by implementing improved authorization checks in iOS 17, iPadOS 17, watchOS 10, iOS 16.7, iPadOS 16.7, and macOS Sonoma 14. The vulnerability does not require user interaction beyond installing the malicious app, nor does it require authentication, making it relatively easy to exploit if a user installs a compromised or malicious app. Although there are no known exploits in the wild, the ability to identify installed apps can be leveraged for targeted phishing, social engineering, or profiling attacks. The vulnerability does not directly affect device integrity or availability but compromises confidentiality and user privacy. The affected versions are unspecified but include all versions prior to the patched releases. This issue is particularly relevant in environments where user privacy is critical, such as corporate or governmental settings, and where Apple devices are widely used. The lack of a CVSS score necessitates an assessment based on impact and exploitability, which suggests a medium severity rating due to the privacy implications and ease of exploitation without direct system compromise.

For European organizations, this vulnerability poses a significant privacy risk as it allows malicious apps to profile users by identifying installed applications, potentially revealing sensitive business or personal information. This can facilitate targeted social engineering, spear phishing, or espionage campaigns against employees or customers. Organizations handling sensitive data or operating under strict privacy regulations such as GDPR may face compliance risks if user data is indirectly exposed through such profiling. While the vulnerability does not enable direct device compromise or data exfiltration, the information gained can be used as a stepping stone for more sophisticated attacks. The impact is heightened in sectors with high Apple device usage, including finance, technology, and government agencies. Additionally, the reputational damage from privacy breaches can be significant. The absence of known exploits reduces immediate risk, but the ease of exploitation and widespread use of Apple devices in Europe make timely patching critical to mitigate potential future attacks.

European organizations should enforce rapid deployment of the patched versions of iOS (17 and 16.7), iPadOS (17 and 16.7), watchOS 10, and macOS Sonoma 14 across all managed Apple devices. Mobile Device Management (MDM) solutions should be used to monitor device compliance and automate updates where possible. Restrict app installation to trusted sources such as the Apple App Store and implement app vetting policies to reduce the risk of malicious apps. Educate users about the risks of installing untrusted applications and encourage reporting of suspicious app behavior. Employ privacy-focused configurations and limit app permissions where feasible. Network monitoring can be enhanced to detect unusual app behavior indicative of reconnaissance activities. Regular privacy audits and penetration testing should include checks for app enumeration vulnerabilities. Organizations should also review and update their incident response plans to address potential privacy breaches stemming from this vulnerability.