Apple has released emergency patches to address three zero-day vulnerabilities that are being actively exploited in the wild in attacks on iPhone and Mac users. A vulnerability – CVE-2023-41991 – in the Apple security framework could be exploited to allow a malicious app to bypass signature validation. A vulnerability has been identified in the WebKit browser engine – CVE-2023-41993 – that could be exploited via a maliciously crafted website. Processing the maliciously crafted content could lead to code execution. CVE-2023-41992 is a vulnerability in the Apple Kernel that can be exploited by a local user, allowing privileges to be escalated. Apple credited the discovery of the three vulnerabilities to Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group.
Apple says the vulnerabilities affect iPhone 8 and later, iPad mini 5th generation and later, Macs running macOS Monterey and newer, and Apple Watch Series 4 and later. The patches have been applied to the following:
- iOS 16.7 and iOS 17.0.1
- iPadOS 16.7 and iPadOS 17.0.1
- watchOS 9.6.3 and watchOS 10.0.1
- macOS Ventura 13.6 and macOS Monterey 12.7
- Safari 16.6.1
The extent to which the vulnerabilities have been exploited in the wild has not been disclosed; however, the vulnerabilities typically identified by Citizen Lab and the Google Threat Analysis Group have usually been exploited in highly targeted attacks against high-risk individuals such as journalists, civil rights activists, dissidents, and politicians to deliver spyware such as NSO Group’s Pegasus spyware. So far this year, Apple has addressed 16 zero-day vulnerabilities in its products, including two zero-day vulnerabilities last month that were exploited in an attack chain dubbed BLASTPASS to infect iPhones with Pegasus spyware. While the latest vulnerabilities are likely to be exploited in highly targeted attacks, all users should ensure that they are running the patched versions.