Jump to content
  • Apple emergency updates fix 3 new zero-days exploited in attacks


    Karlston

    • 515 views
    • 2 minutes
     Share


    • 515 views
    • 2 minutes

    Apple released emergency security updates to patch three new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 16 zero-days fixed this year.

     

    Two bugs were found in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991), enabling attackers to bypass signature validation using malicious apps or gain arbitrary code execution via maliciously crafted webpages.

     

    The third one was found in the Kernel Framework, which provides APIs and support for kernel extensions and kernel-resident device drivers. Local attackers can exploit this flaw (CVE-2023-41992) to escalate privileges.

     

    Apple fixed the three zero-day bugs in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificate validation issue and through improved checks.

     

    "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the company revealed in security advisories describing the security flaws.

     

    The list of impacted devices encompasses older and newer device models, and it includes:

     

    • iPhone 8 and later
    • iPad mini 5th generation and later
    • Macs running macOS Monterey and newer
    • Apple Watch Series 4 and later

     

    All three zero-days were found and reported by Bill Marczak of the Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group.

     

    While Apple has yet to provide additional details regarding the flaws' exploitation in the wild, Citizen Lab and Google Threat Analysis Group security researchers have often disclosed zero-day bugs abused in targeted spyware attacks targeting high-risk individuals, including journalists, opposition politicians, and dissidents.

     

    Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), also fixed by Apple in emergency security updates earlier this month and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus commercial spyware.

     

    Since the start of the year, Apple has also patched:

     

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...