Apple Patches Three Actively Exploited Zero-Day Vulnerabilities
May 18, 2023
Apple has recently fixed three zero-day vulnerabilities that were being actively exploited to hack into iPhones, Macs, and iPads. The company stated in security advisories that they are "aware of a report that this issue may have been actively exploited." The security flaws were discovered in the WebKit browser engine, a multi-platform component, and have been assigned the identifiers CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
The first vulnerability, CVE-2023-32409, is a sandbox escape, which allows remote attackers to break out of Web Content sandboxes. The other two vulnerabilities, CVE-2023-28204 and CVE-2023-32373, involve an out-of-bounds read and a use-after-free issue. These vulnerabilities can enable attackers to access sensitive information and execute arbitrary code on compromised devices after tricking targets into loading maliciously crafted web pages.
Apple has addressed these zero-day vulnerabilities in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. The updates include improved bounds checks, input validation, and memory management. The list of impacted devices is extensive, affecting both older and newer models.
Apple also revealed that CVE-2023-28204 and CVE-2023-32373 were initially addressed with the Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices, which were released on May 1. The company did not provide further details about the flaws fixed in the May RSR updates when contacted for more information.
While Apple acknowledges that the three zero-days patched are being exploited, it has not shared any information about the nature of these attacks. The security advisories do reveal that CVE-2023-32409 was reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab. These organizations are known for disclosing details about state-backed campaigns that exploit zero-day vulnerabilities to deploy spyware on the devices of politicians, journalists, dissidents, and others.
In April, Apple fixed two other zero-days, CVE-2023-28206 and CVE-2023-28205, which were part of exploit chains for Android, iOS, and Chrome zero-day and n-day vulnerabilities. These vulnerabilities were abused to deploy commercial spyware on the devices of high-risk targets worldwide. In February, Apple addressed another WebKit zero-day, CVE-2023-23529, which was exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs.
- NSO Group Utilizes Three iOS Zero-Click Exploits in 2022: Citizen Lab Report
- CISA Directs Government Agencies to Update Apple Devices by May 1st
- Apple Releases Emergency Updates to Address Zero-Days Exploited in Attacks
- Apple Addresses Actively Exploited WebKit Zero-Day for Older iPhones and iPads
- CISA Adds Four Security Vulnerabilities to Known Exploited List
- Cisco Issues Warning for Critical Switch Vulnerabilities with Public Exploit Code
- BianLian Ransomware Group Targets Critical Infrastructure Organizations
- Unpatched Wemo Smart Plug Bug Leaves Numerous Networks Vulnerable to Cyberattacks
- Ransomware Targets VMware ESXi Hypervisor: The Emergence of 'MichaelKors'
- Meme-Themed Cyberattacks Target Hospitality Sector Using Follina Bug
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.