Contents:
Apple resolves three new zero-day vulnerabilities used to compromise iPhones and Macs. The flaws were all found in the multi-platform WebKit browser engine, as the company revealed in security advisories released to inform its clients about the active exploitation of the flaws.
The Vulnerabilities Explained
The vulnerabilities are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. The first vulnerability is a sandbox escape that enables remote attackers to break out of Web Content sandboxes.
The other two, which can both be exploited by tricking targets into loading maliciously designed web pages (web content), are an out-of-bounds read that allows attackers to access private data and a use-after-free flaw that permits arbitrary code execution on infected devices.
Improvements to bounds checks, input validation, and memory management were made in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 to address the three zero-day vulnerabilities.
According to BleepingComputer, the list of affected devices is quite large and it includes:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later
- Apple TV 4K (all models) and Apple TV HD
The company also disclosed that the Rapid Security Response (RSR) updates for iOS 16.4.1 and macOS 13.3.1 devices released on May 1 were the first to address CVE-2023-28204 and CVE-2023-32373 (reported by unnamed researchers).
Multiple Zero-Days Since the Start of the Year
Prior to fixing these three vulnerabilities, Apple encountered three more this year, counting for 6 zero-days since the beginning of 2023.
Apple patched two zero-day vulnerabilities (CVE-2023-28206 and CVE-2023-28205) in April that were a part of in-the-wild exploit chains for Android, iOS, and Chrome that were being used to install commercial spyware on the devices of high-risk targets all around the world.
Apple patched a further WebKit zero-day (CVE-2023-23529) that was being used in attempts to execute code on susceptible Macs, iPhones, and iPads in February.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.