Apple has recently launched security updates to mitigate zero-day vulnerabilities that have been leveraged in attacks on iPhones, Macs, and iPads. The company is cognizant of reports indicating that these vulnerabilities may have been exploited actively. The advisory issued by Apple highlights a WebKit flaw, identified as CVE-2023-37450, which was tackled in the latest Rapid Security Response (RSR) updates released earlier this month.
Another zero-day vulnerability that was patched is a new Kernel flaw, identified as CVE-2023-38606, which was exploited in attacks against devices running older iOS versions. Apple has confirmed reports of active exploitation of this issue against iOS versions released prior to iOS 15.7.1. This flaw could be exploited on unpatched devices to alter sensitive kernel states.
Apple has addressed these two vulnerabilities by enhancing checks and state management. The company has also backported security patches for a zero-day (CVE-2023-32409) that was addressed in May, to devices running tvOS 16.6 and watchOS 9.6.
Apple tackled the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 by improving bounds checks, input validation, and memory management. A wide array of iPhone and iPad models, as well as Macs running macOS Big Sur, Monterey, and Ventura, are included in the list of devices impacted by the two zero-days fixed in this round.
Since the beginning of the year, Apple has patched 11 zero-day flaws that attackers have exploited to target devices running iOS, macOS, and iPadOS. Earlier this month, Apple issued out-of-band Rapid Security Response (RSR) updates to address a bug (CVE-2023-37450) affecting fully-patched iPhones, Macs, and iPads. The company later confirmed that these RSR updates caused issues with web browsing on certain websites and released corrected versions of the problematic patches two days later.