Apple has recently fixed three zero-day vulnerabilities that were being actively exploited to hack into iPhones, Macs, and iPads. The company stated in security advisories that they are "aware of a report that this issue may have been actively exploited." The security flaws were discovered in the WebKit browser engine, a multi-platform component, and have been assigned the identifiers CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
The first vulnerability, CVE-2023-32409, is a sandbox escape, which allows remote attackers to break out of Web Content sandboxes. The other two vulnerabilities, CVE-2023-28204 and CVE-2023-32373, involve an out-of-bounds read and a use-after-free issue. These vulnerabilities can enable attackers to access sensitive information and execute arbitrary code on compromised devices after tricking targets into loading maliciously crafted web pages.
Apple has addressed these zero-day vulnerabilities in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. The updates include improved bounds checks, input validation, and memory management. The list of impacted devices is extensive, affecting both older and newer models.
Apple also revealed that CVE-2023-28204 and CVE-2023-32373 were initially addressed with the Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices, which were released on May 1. The company did not provide further details about the flaws fixed in the May RSR updates when contacted for more information.
While Apple acknowledges that the three zero-days patched are being exploited, it has not shared any information about the nature of these attacks. The security advisories do reveal that CVE-2023-32409 was reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab. These organizations are known for disclosing details about state-backed campaigns that exploit zero-day vulnerabilities to deploy spyware on the devices of politicians, journalists, dissidents, and others.
In April, Apple fixed two other zero-days, CVE-2023-28206 and CVE-2023-28205, which were part of exploit chains for Android, iOS, and Chrome zero-day and n-day vulnerabilities. These vulnerabilities were abused to deploy commercial spyware on the devices of high-risk targets worldwide. In February, Apple addressed another WebKit zero-day, CVE-2023-23529, which was exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs.