Apple fixes two new actively exploited zero-days
WebKit and Kernel vulnerabilities could allow attackers to control devices remotely and install malware with no interactions with the user required
Apple has rolled out security updates to address zero-day vulnerabilities that have been exploited in attacks targeting iPhones, Macs, and iPads, posing a significant threat to the digital security of Apple devices worldwide.
The company says it is aware of reports suggesting active exploitation of these vulnerabilities.
Two zero-days addressed by Apple, tracked as CVE-2023-37450 and CVE-2023-38606, were found within Apple's multi-platform WebKit browser engine and kernel component, respectively.
Earlier this month, Apple patched CVE-2023-37450 by issuing Rapid Security Response (RSR) updates for iPhones, iPads, and Macs running the latest versions of their operating systems.
RSR updates serve as small security fixes implemented between major patches, and they are automatically applied to most users' devices. Even if a user declines the RSR update, their device will still receive the necessary patch when Apple releases its next major software update. This ensures that all Apple devices remain protected against potential security vulnerabilities.
WebKit vulnerability
CVE-2023-37450 exists in WebKit, the browser engine utilised not only by Apple's Safari web browser but also by all other web browsers on iOS and iPadOS.
This vulnerability is triggered when a vulnerable browser processes specially crafted malicious web content.
If successfully exploited, it allows malicious actors to execute arbitrary code on the vulnerable devices, granting them control over the compromised system.
The devices impacted by this vulnerability include iPhone 8 and later models, all iPad Pro models, iPad Air (3rd generation and later), iPad 5th generation and later, and iPad mini 5th generation and later.
Additionally, macOS Ventura is also among the affected systems.
Kernel flaw
CVE-2023-38606, the second vulnerability, is a new Kernel flaw, which has been exploited in attacks targeting devices using older iOS versions.
Apple has verified the reports of active exploitation of this issue specifically affecting iOS versions released before iOS 15.7.1.
If left unpatched, this flaw enables attackers to manipulate sensitive kernel states.
According to Boris Larin, the lead security researcher at Kaspersky GReAT, CVE-2023-38606 is part of a zero-click exploit chain that malicious actors have utilised to deploy Triangulation spyware on iPhones through iMessage exploits.
This type of sophisticated attack allows the spyware to be installed without any interaction or knowledge from the targeted user, making it even more dangerous and concerning.
The threat scope due to CVE-2023-38606 extends across a broad range of Apple devices, encompassing macOS versions like Big Sur, Monterey, and Ventura, along with iPhone models starting from the iPhone 6s and onwards.
This vulnerability also affects all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, as well as the iPod touch 7th generation.
Cybersecurity experts Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko and Boris Larin from Kaspersky reported this flaw.
In addition to addressing the vulnerabilities mentioned above, Apple has taken further action by backporting security patches for a zero-day vulnerability, CVE-2023-32409, which was previously resolved in May.
These security patches have been extended to devices running tvOS 16.6 and watchOS 9.6.
Apple has effectively addressed the three zero-day vulnerabilities in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved input validation, bounds checks, and memory management.
Since the start of the year, Apple has patched multiple zero-day vulnerabilities, including:
- Three zero-days (CVE-2023-32434, CVE-2023-32439 and CVE-2023-32435) in June, which enabled the installation of Triangulation spyware on iPhones via iMessage zero-click exploits.
- Three zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May.
- Two zero-days (CVE-2023-28206 and CVE-2023-28205) in April, targeting Android, iOS, and Chrome platforms.
- A WebKit zero-day vulnerability (CVE-2023-23529) in February, exploited by hackers to execute code on vulnerable iPhones, iPads, and Macs.