Apple Addresses Three Zero-Day Vulnerabilities in Latest Updates

One sentence summary – Apple has patched three new zero-day vulnerabilities in its latest operating system updates, including a vulnerability that allows a malicious app to bypass signature verification, a kernel flaw that allows a local attacker to elevate privileges, and a WebKit bug that can be exploited for arbitrary code execution through a malicious webpage, with evidence suggesting that these vulnerabilities may have been exploited by a commercial spyware vendor to hack iPhones.

At a glance

• Apple has patched three new zero-day vulnerabilities in its latest operating system updates.
• The vulnerabilities allow for bypassing signature verification, elevating privileges, and executing arbitrary code.
• The patches have been rolled out for Safari, iOS, iPadOS, macOS, and watchOS.
• Researchers at the University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group reported the vulnerabilities to Apple.
• Promptly updating devices to the latest operating system versions is advised to protect against potential attacks.

The details

Apple has recently announced the patching of three new zero-day vulnerabilities in its latest operating system updates.

These vulnerabilities, namely CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, have been identified and addressed by Apple.

CVE-2023-41991 is a vulnerability that allows a malicious app to bypass signature verification.

This could potentially enable unauthorized access or execution of malicious code.

CVE-2023-41992 is a vulnerability that relates to a kernel flaw.

This flaw allows a local attacker to elevate privileges.

Exploiting this vulnerability could grant an attacker escalated system access and control.

CVE-2023-41993 is a vulnerability associated with a WebKit bug.

This bug can be exploited for arbitrary code execution through a malicious webpage.

If successfully exploited, an attacker could execute arbitrary code on a victim’s device.

Apple has taken prompt action to address these vulnerabilities.

This ensures user safety across various platforms.

The patches have been rolled out for Safari, iOS, iPadOS, macOS, and watchOS.

Users are advised to update their devices to the latest operating system versions to protect themselves from potential attacks.

Apple became aware of active exploitation targeting iOS versions prior to 16.7.

These vulnerabilities were reported to Apple by researchers at the University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group.

The researchers discovered evidence suggesting that these vulnerabilities may have been exploited by a commercial spyware vendor to hack iPhones.

Apple and Citizen Lab have dealt with similar issues in the past.

They jointly investigated attacks involving a zero-day vulnerability identified as CVE-2023-41064.

This particular vulnerability was used to deliver the NSO Group’s Pegasus spyware to iPhones.

CVE-2023-41064 impacts the WebP image format and also affects Chrome and Firefox web browsers.

To mitigate potential risks, both Google and Mozilla have released emergency updates addressing this zero-day vulnerability.

They are tracking it as CVE-2023-4863.

Apple has taken swift action to address the three zero-day vulnerabilities.

This ensures user safety across its range of operating systems.

Users are urged to update their devices to the latest software versions provided by Apple.

The discovery of active exploitation and the involvement of a commercial spyware vendor highlight the significance of diligent security measures.

Prompt patching of vulnerabilities is crucial.

Article X-ray