The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has instructed federal agencies to address three recently patched zero-day vulnerabilities affecting iPhones, Macs, and iPads, which are known to have been exploited in attacks. These security flaws are identified as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 and are found in the WebKit browser engine. The vulnerabilities enable attackers to escape the browser sandbox, access sensitive data on the affected device, and execute arbitrary code after successful exploitation. Apple stated, "Apple is aware of a report that this issue may have been actively exploited," when discussing the vulnerabilities.
The three zero-day flaws were fixed in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 through enhanced bounds checks, input validation, and memory management. The list of impacted devices is extensive. Although Apple has not provided specific information about the attacks in which these bugs have been exploited, it did reveal that CVE-2023-32409 was reported by Clément Lecigne from Google's Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International's Security Lab. These two researchers and their organizations frequently share information about state-sponsored campaigns that use zero-day vulnerabilities to deploy surveillance spyware on the devices of politicians, journalists, dissidents, and other individuals in highly targeted attacks. For example, they disclosed in March details on two recent campaigns using complex exploit chains of Android, iOS, and Chrome flaws to install mercenary spyware, one of them a Samsung ASLR bypass flaw CISA warned about on Friday.
In line with the binding operational directive (BOD 22-01) issued in November 2022, Federal Civilian Executive Branch Agencies (FCEB) must apply patches to their systems for all security bugs listed in CISA's Known Exploited Vulnerabilities catalog. With the latest update, FCEB agencies must secure their iOS, iPadOS, and macOS devices by June 12th, 2023. Although this directive is primarily aimed at U.S. federal agencies, it is strongly recommended that private companies also prioritize fixing vulnerabilities included in the KEV list of bugs exploited in attacks. CISA stated on Monday, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." In April, federal agencies were also cautioned to protect iPhones and Macs on their networks against another pair of iOS and macOS security flaws reported by Google TAG and Amnesty International security researchers.