Contents:
Apple released an emergency security update to patch three newly identified zero-days exploited actively by threat actors. The vulnerabilities affected iPhone and Mac users, and with this, the total zero-days fixed by Apple this year rose to 16.
What Do We Know About the Vulnerabilities?
Two of the vulnerabilities were found in the WebKit browser engine (CVE-2023-41993), and the Security framework (CVE-2023-41991). By exploiting the vulnerabilities, attackers could bypass signature validation or gain arbitrary code execution via maliciously crafted webpages.
The third vulnerability (CVE-2023-41992) was found in the Kernel Framework, which provides APIs and support for kernel extensions and kernel resident device drivers. Threat actors can exploit this flaw to escalate privileges.
Apple addressed a certificate validation issue and strengthened checks to address the three zero-day flaws in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.
Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7,
Apple on the Security Flaws (Source)
The list of impacted device contains both older and newer device models:
- iPhone 8 and later;
- iPad mini 5th generation and later;
- Macs running macOS Monterey and newer;
- Apple Watch Series 4 and later.
Bill Marczak of the Munk School Citizen Lab at The University of Toronto and Maddie Stone of Google’s Threat Analysis Group discovered and reported all three zero-days.
Apple has not yet disclosed more information about how the flaws are used in the wild, but security researchers from Citizen Lab and Google Threat Analysis Group have frequently exposed zero-day bugs that are used in targeted spyware attacks against high-risk targets like journalists, opposition politicians, and dissidents.
If you want to keep up to date with everything we post, don’t forget to follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.