Apple Issues Security Updates to Address Zero-Day Vulnerabilities

July 24, 2023

Apple has recently launched security updates to mitigate zero-day vulnerabilities that have been leveraged in attacks on iPhones, Macs, and iPads. The company is cognizant of reports indicating that these vulnerabilities may have been exploited actively. The advisory issued by Apple highlights a WebKit flaw, identified as CVE-2023-37450, which was tackled in the latest Rapid Security Response (RSR) updates released earlier this month.

Another zero-day vulnerability that was patched is a new Kernel flaw, identified as CVE-2023-38606, which was exploited in attacks against devices running older iOS versions. Apple has confirmed reports of active exploitation of this issue against iOS versions released prior to iOS 15.7.1. This flaw could be exploited on unpatched devices to alter sensitive kernel states.

Apple has addressed these two vulnerabilities by enhancing checks and state management. The company has also backported security patches for a zero-day (CVE-2023-32409) that was addressed in May, to devices running tvOS 16.6 and watchOS 9.6.

Apple tackled the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 by improving bounds checks, input validation, and memory management. A wide array of iPhone and iPad models, as well as Macs running macOS Big Sur, Monterey, and Ventura, are included in the list of devices impacted by the two zero-days fixed in this round.

Since the beginning of the year, Apple has patched 11 zero-day flaws that attackers have exploited to target devices running iOS, macOS, and iPadOS. Earlier this month, Apple issued out-of-band Rapid Security Response (RSR) updates to address a bug (CVE-2023-37450) affecting fully-patched iPhones, Macs, and iPads. The company later confirmed that these RSR updates caused issues with web browsing on certain websites and released corrected versions of the problematic patches two days later.

Related News

• Apple Rectifies and Re-Releases Security Update Following WebKit Zero-Day Vulnerability
• Apple's Emergency Security Updates Disrupt Web Browsing on Some Sites
• Apple Rolls Out Urgent Security Update to Address Active Zero-Day Exploits
• Apple Patches Zero-Days Exploited to Deploy Triangulation Spyware via iMessage
• CISA Directs Government Agencies to Address iPhone Vulnerabilities Exploited in Attacks

Latest News

• Critical Zero-Day Vulnerabilities in Atera Windows Installers Expose Users to Privilege Escalation Attacks
• Over 15,000 Citrix Servers Susceptible to Attacks via CVE-2023-3519
• Atlassian Issues Security Advisories for Confluence and Bamboo Vulnerabilities
• Critical Infrastructure Organization Breached via Exploited Citrix RCE Bug
• Critical Vulnerabilities in AMI MegaRAC Could Allow Hackers to Sabotage Servers