Executive Summary
Apple has rushed to patch three new zero-day vulnerabilities that were actively exploited.
The vulnerabilities affect iOS, iPadOS, macOS, Safari, and watchOS.
These zero-day flaws bring the total number of zero-day bugs discovered in Apple’s software this year to 16.
The vulnerabilities include a certificate validation issue, a security flaw in the Kernel, and a WebKit flaw that could result in arbitrary code execution.
Apple users are advised to update impacted software to the latest versions to patch these actively exploited zero-day vulnerabilities.
Vulnerabilities
The following zero-day vulnerabilities have been identified:
- CVE-2023-41991: A certificate validation issue in the Security framework.
- CVE-2023-41992: A security flaw in the Kernel framework.
- CVE-2023-41993: A WebKit flaw that could result in arbitrary code execution.
These vulnerabilities are still being analyzed, and their CVSS scores have not been announced yet.
Apple’s Response
Apple has released emergency security updates to address these vulnerabilities.
The updates are available for the following operating systems and devices:
- iOS 16.7 and iPadOS 16.7: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iOS 17.0.1 and iPadOS 17.0.1: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
- macOS Monterey 12.7 and macOS Ventura 13.6
- watchOS 9.6.3 and watchOS 10.0.1: Apple Watch Series 4 and later
- Safari 16.6.1: macOS Big Sur and macOS Monterey
Apple credits Bill Marczak of The Citizen Lab and Maddie Stone of Google’s Threat Analysis Group for discovering and reporting these vulnerabilities.
Other Vulnerabilities of Apple in 2023
The disclosure follows Apple’s resolution of two other zero-day vulnerabilities. These vulnerabilities were exploited as part of a zero-click iMessage exploit chain called BLASTPASS, which was used to deploy the Pegasus spyware.
For more details regarding those recent zero-days, please refer to our news article: Zero-Day Vulnerabilities in iOS and iPadOS.
In total, Apple has patched 16 actively exploited zero-day vulnerabilities in 2023. 8 of them had a CVSS score of 8+, and 3 of them had a CVSS score of 7+.
- Application Security Scanning Evolves with Strategic Integrations
- Microsoft Teams Default Settings Allows Malware
- Japanese Technology Firm Acknowledges Data Security Breach
- Avast Hit with $16.5 Million Fine for Selling Customer Data
- Five Eyes’ Defense Guidance Against Volt Typhoon
- NSA Issues Strategic Insights for Cloud Security