Apple has issued security patches to address zero-day vulnerabilities that have been exploited in attacks against iPhones, Macs, and iPads that seriously affect the digital security of Apple devices.
The company claims to be aware of reports indicating active exploitation of these vulnerabilities.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in an advisory.
Apple’s multi-platform WebKit browser engine and kernel component tracked as CVE-2023-37450 and CVE-2023-38606, respectively, were found to include two zero-day vulnerabilities that the company patched.
Notably, Apple released Rapid Security Response (RSR) upgrades for iPhones, iPads, and Macs running the most recent versions of their operating systems earlier this month to address CVE-2023-37450.
CVE-2023-37450 – WebKit Vulnerability
WebKit, the browser engine used by all other web browsers on iOS and iPadOS in addition to Apple’s Safari, contains the vulnerability tracked as CVE-2023-37450.
This vulnerability is activated when a susceptible browser processes specially crafted malicious web content.
If successfully exploited, it gives bad actors access to the susceptible devices and the ability to execute arbitrary code, giving them control over the infected system.
All iPhone 8 and later models, all iPad Pro models, iPad Air (3rd generation and later), iPad 5th generation and later, and iPad mini (5th generation) models are all affected by this vulnerability. Further, macOS Ventura is also among the affected systems.
CVE-2023-38606 – Kernel Vulnerability
The second flaw, CVE-2023-38606, is a new Kernel bug that has been used in attacks against iOS devices running older versions.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” the company said.
Attackers could use it to change sensitive kernel states on unpatched devices. Apple fixed the two flaws by enhancing checks and state management.
According to Kaspersky GReAT head security researcher Boris Larin, CVE-2023-38606 is a part of a zero-click attack chain that is used to deploy Triangulation spyware on iPhones via iMessage exploits.
The risk posed by CVE-2023-38606 encompasses many Apple products, including iPhone models beginning with the iPhone 6s and later macOS releases, including Big Sur, Monterey, and Ventura.
All iPad Pro devices, iPad Air 3rd generation and after, iPad 5th generation and later, iPad mini 5th generation and later, and the iPod touch 7th generation are all impacted by this vulnerability.
Additionally, the company backported security updates for tvOS 16.6 and watchOS 9.6 devices to address the zero-day vulnerability (CVE-2023-32409) that was discovered in May.
These security updates are now available for devices running tvOS 16.6 and watchOS 9.6.
With better input validation, bounds checks, and memory management, Apple has effectively resolved the three zero-day vulnerabilities in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5.
Zero-Day Vulnerabilities Patched Since The Beginning Of The Year:
- Three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- Three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- Two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- Another WebKit zero-day (CVE-2023-23529) in February