Apple, the tech giant known for its stringent security measures, has once again taken swift action to address potential threats. In a recent move, Apple has released emergency security updates to counteract three new zero-day vulnerabilities. These vulnerabilities were actively exploited in attacks targeting both iPhone and Mac users. This brings the total number of zero-days addressed by Apple this year to 16.
Two of the vulnerabilities were identified in the WebKit browser engine, specifically CVE-2023-41993 and the security framework CVE-2023-41991. These vulnerabilities could allow attackers to bypass signature validation using malicious apps or execute arbitrary code through maliciously crafted web pages.
The third vulnerability was detected in the kernel framework, which offers APIs and support for kernel extensions and kernel-resident device drivers. Local attackers could exploit this flaw, CVE-2023-41992, to escalate their privileges.Apple has addressed these zero-day bugs across several of its platforms, including macOS 188.8.131.52, iOS 184.108.40.2061, iPadOS 220.127.116.111, and watchOS 18.104.22.1681. The company has implemented improved checks and addressed a certificate validation issue.
Apple’s security advisories have revealed that there have been active exploitations against versions of iOS prior to iOS 16.7.
The list of devices affected by these vulnerabilities is extensive, covering both older and newer models. This includes the iPhone 8 and later, iPad mini (5th generation and later), Macs running macOS Monterey and newer, and Apple Watch Series 4 and later.
The discovery of these zero-days was credited to Bill Marczak of the Citizen Lab at the University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group.
Citizen Lab and Google’s Threat Analysis Group have frequently disclosed zero-day vulnerabilities that were exploited in targeted spyware attacks. These attacks often target high-risk individuals, such as journalists, opposition politicians, and dissidents. Earlier this month, Citizen Lab revealed two other zero-days, which were also addressed by Apple in emergency security updates.
Apple’s proactive approach to security threats is commendable. The company’s swift response to these vulnerabilities underscores its commitment to user safety.
Users are advised to update their devices to the latest versions to benefit from these security patches.
The tech community and users alike should remain vigilant and prioritize security updates to safeguard their devices and data.