Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities

May 19, 2023Ravie LakshmananZero-Day/Endpoint Security

apples on Thursday rolling out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws it says are being actively exploited in the wild.

The three security flaws are listed below –

• CVE-2023-32409 – WebKit flaws that can be exploited by bad actors to escape Web Content sandboxes. It was addressed with improved bounds checking.
• CVE-2023-28204 – A read out of bounds issue in WebKit that could be abused to reveal sensitive information when processing web content. It was addressed with improved input validation.
• CVE-2023-32373 – Bug free after use in WebKit which may lead to arbitrary code execution when processing maliciously crafted web content. It has been addressed with improved memory management.

The iPhone maker commends Clément Lecigne of the Google Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting two other issues.

It should be noted that CVE-2023-28204 and CVE-2023-32373 were patched as part of the Quick Security Response Update – iOS 16.4.1 (a) and iPadOS 16.4.1 (a) – the company released earlier in the month.

There are currently no additional technical specifications about vulnerabilities, the nature of attacks, or the identity of threat actors who might exploit them.

That said, such vulnerabilities have historically been exploited as part of highly targeted intrusions to spread paid spyware on the devices of dissidents, journalists, and human rights activists, among others.

The latest updates are available for the following devices and operating systems –

• iOS 16.5 and iPadOS 16.5 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• iOS 15.7.6 and iPadOS 15.7.6 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
• macOS Ventura 13.4 – macOS Coming
• tvOS 16.5 – Apple TV 4K (all models) and Apple TV HD
• watchOS 9.5 – Apple Watch Series 4 and later
• Safari 16.5 – macOS Big Sur and macOS Monterey

Apple has so far recovered a total of six days of actively exploited zero days since early 2023. Early this February, the company installed a WebKit flaw (CVE-2023-23529) that could lead to remote code execution.

Then last month, it shipped fixes for a pair of vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed code execution with higher privileges. Lecigne and Ó Cearbhaill are credited with reporting the safety flaw.