Apple has issued urgent security updates to remedy three fresh zero-day vulnerabilities that were exploited in attacks targeting both iPhone and Mac users, bringing the total count of fixed zero-days to 16 for the year.
Two of these vulnerabilities were discovered in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991). They allowed attackers to bypass signature validation through the use of malicious apps or gain control over arbitrary code by manipulating maliciously crafted webpages.
The third vulnerability was located in the Kernel Framework, which provides support and APIs for kernel extensions and kernel-resident device drivers. This flaw (CVE-2023-41992) could be exploited by local attackers to escalate their privileges.
Apple addressed these three zero-day vulnerabilities in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by resolving a certificate validation issue and enhancing security checks.
In its security advisories, Apple acknowledged awareness of reports that these vulnerabilities may have been actively exploited on iOS versions prior to iOS 16.7.
The affected devices range from older to newer models and include:
- iPhone 8 and later
- iPad mini 5th generation and later
- Macs running macOS Monterey and newer
- Apple Watch Series 4 and later
These three zero-day vulnerabilities were discovered and reported by Bill Marczak from Citizen Lab at The University of Toronto’s Munk School and Maddie Stone from Google’s Threat Analysis Group.
While Apple has not provided detailed information about the exploitation of these vulnerabilities in the wild, security researchers from Citizen Lab and Google Threat Analysis Group have previously disclosed zero-day vulnerabilities that were used in targeted spyware attacks, often aimed at high-risk individuals like journalists, opposition politicians, and dissidents.
Citizen Lab had earlier disclosed two additional zero-day vulnerabilities (CVE-2023-41061 and CVE-2023-41064), which Apple also patched in emergency security updates earlier in the same month. These vulnerabilities were exploited as part of a zero-click exploit chain known as BLASTPASS, which was used to infect fully updated iPhones with NSO Group’s Pegasus commercial spyware.
Throughout the year, Apple has been actively patching various zero-day vulnerabilities:
- In July, two zero-days (CVE-2023-37450 and CVE-2023-38606) were fixed.
- In June, three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) were addressed.
- May saw the patching of three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373).
- In April, two zero-days (CVE-2023-28206 and CVE-2023-28205) were fixed.
- February included the resolution of another WebKit zero-day (CVE-2023-23529).