WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities
Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address dozens of flaws, including three new zero-days that it said are being actively exploited in the wild.
The three security shortcomings are listed below –
The iPhone maker credited Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting the other two issues.
It’s worth noting that both CVE-2023-28204 and CVE-2023-32373 were patched as part of Rapid Security Response updates – iOS 16.4.1 (a) and iPadOS 16.4.1 (a) – the company released at the start of the month.
There are currently no additional technical specifics about the flaws, the nature of the attacks, or the identity of the threat actors that may be exploiting them.
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
That said, such weaknesses have been historically leveraged as part of highly-targeted intrusions to deploy mercenary spyware on the devices of dissidents, journalists, and human rights activists, among others.
The latest updates are available for the following devices and operating systems –
Apple has so far remediated a total of six actively exploited zero-days since the start of 2023. Earlier this February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution.
Then last month, it shipped fixes for a pair of vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Lecigne and Ó Cearbhaill were credited with reporting the security defects.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.
source
