Apple has patched three newly discovered zero-day vulnerabilities that reportedly caused threat actors to target iPhone and Mac users.
Multiple security advisories published on Apple’s website say the flaws were found in the WebKit browser engine (CVE-2023-41993), the security framework (CVE-2023-41991), and the Kernel framework (CVE-2023 ). -41992). While the first two can be used by threat actors to execute arbitrary code, the third can be used to escalate privileges.
In other words, all three offer hackers the opportunity to execute malware on iPhone and Mac devices.
iOS and macOS errors
The endpoints vulnerable to these flaws are iPhones 8 and newer, iPad mini 5th generation and newer, all Macs from macOS Monterey, and all Apple Watch Series 4 and newer. To close the gaps, users will need to update their macOS to version 12.7/13.6, iOS to version 16.7/17.0.1, iPadOS to version 16.7/17.0.1, and watchOS to version 9.6.3/10.0.1.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS prior to iOS 16.7,” the security advisory reads. The vulnerabilities were discovered by Citizen Lab’s cybersecurity researcher Bill Marczak, and Google’s Threat Analysis Group’s (TAG) researcher Maddie Stone.
While the Cupertino giant has not yet revealed details about the groups exploiting the flaws, as well as their targets, BleepignComputer recalls that TAG typically works to detect flaws used in targeted spyware attacks against high-profile organizations and individuals, including governments , journalists, human rights activists, dissidents and the like.
In total, Apple has fixed 16 zero-day errors this year, including two in July, three in June and three in May. In April, Apple established two more zero days, and one in February. Most of the errors were found in the browser engine.
Through: BleepingComputer