Apple launched emergency safety updates to patch three new zero-day vulnerabilities exploited in assaults concentrating on iPhone and Mac customers, for a complete of 16 zero-days mounted this yr.
Two bugs had been discovered within the WebKit browser engine (CVE-2023-41993) and the Safety framework (CVE-2023-41991), enabling attackers to bypass signature validation utilizing malicious apps or achieve arbitrary code execution through maliciously crafted webpages.
The third one was discovered within the Kernel Framework, which offers APIs and help for kernel extensions and kernel-resident gadget drivers. Native attackers can exploit this flaw (CVE-2023-41992) to escalate privileges.
Apple mounted the three zero-day bugs in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificates validation situation and thru improved checks.
“Apple is conscious of a report that this situation could have been actively exploited towards variations of iOS earlier than iOS 16.7,” the corporate revealed in safety advisories describing the safety flaws.
The listing of impacted gadgets encompasses older and newer gadget fashions, and it contains:
- iPhone 8 and later
- iPad mini fifth technology and later
- Macs operating macOS Monterey and newer
- Apple Watch Sequence 4 and later
All three zero-days had been discovered and reported by Invoice Marczak of the Citizen Lab at The College of Toronto’s Munk Faculty and Maddie Stone of Google’s Menace Evaluation Group.
Whereas Apple has but to supply extra particulars concerning the failings’ exploitation within the wild, Citizen Lab and Google Menace Evaluation Group safety researchers have typically disclosed zero-day bugs abused in focused adware assaults concentrating on high-risk people, together with journalists, opposition politicians, and dissidents.
Citizen Lab disclosed two different zero-days (CVE-2023-41061 and CVE-2023-41064), additionally mounted by Apple in emergency safety updates earlier this month and abused as a part of a zero-click exploit chain (dubbed BLASTPASS) to contaminate absolutely patched iPhones with NSO Group’s Pegasus industrial adware.
Because the begin of the yr, Apple has additionally patched:
