On Thursday, Apple released security updates across its various platforms, including iOS, iPadOS, macOS, tvOS, watchOS, and Safari. These updates were aimed at addressing three newly discovered zero-day vulnerabilities that are currently being actively exploited by malicious actors.
Let’s take a closer look at the three security flaws:
- CVE-2023-32409: This vulnerability resides in WebKit and could be exploited by a malicious actor to break out of the Web Content sandbox. Apple addressed this issue by implementing improved bounds checks.
- CVE-2023-28204: Found in WebKit, this flaw involves an out-of-bounds read issue that could potentially lead to the disclosure of sensitive information during web content processing. Apple resolved this vulnerability by enhancing input validation.
- CVE-2023-32373: This bug, also discovered in WebKit, is a use-after-free vulnerability that could result in arbitrary code execution when processing maliciously crafted web content. Apple tackled this issue by improving memory management.
Apple attributed the discovery of CVE-2023-32409 to Clément Lecigne from Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill from Amnesty International’s Security Lab. An anonymous researcher was acknowledged for reporting the other two vulnerabilities.
Notably, both CVE-2023-28204 and CVE-2023-32373 were patched through Rapid Security Response updates, namely iOS 16.4.1 (a) and iPadOS 16.4.1 (a), which were released at the beginning of the month.
At present, there are no additional technical details available regarding these vulnerabilities, including the nature of the attacks or the identity of the threat actors exploiting them. However, it is worth mentioning that such vulnerabilities have historically been exploited in highly targeted intrusions, especially to deploy spyware on the devices of individuals such as dissidents, journalists, and human rights activists.
The latest updates are applicable to the following devices and operating systems:
- IOS 16.5 and iPadOS 16.5: iPhone 8 and later, all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
- IOS 15.7.6 and iPadOS 15.7.6: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
macOS Ventura 13.4: macOS Ventura.
tvOS 16.5: Apple TV 4K (all models) and Apple TV HD.
watchOS 9.5: Apple Watch Series 4 and later.
Safari 16.5: macOS Big Sur and macOS Monterey.
Since the beginning of 2023, Apple has successfully addressed a total of six actively exploited zero-day vulnerabilities. In February, they patched a WebKit flaw (CVE-2023-23529) that had the potential for remote code execution. Last month, Apple released fixes for two vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Lecigne and Ó Cearbhaill were credited for reporting these security flaws.