Apple has released emergency security updates to address three newly discovered zero-day vulnerabilities that were exploited in attacks targeting iPhone and Mac users. These fixes bring the total number of zero-days addressed by Apple in 2023 to 16.
Furthermore, the vulnerabilities were identified in the WebKit browser engine, the Security framework, and the Kernel Framework, with potential consequences including the bypassing of signature validation, arbitrary code execution through malicious webpages, and privilege escalation by local attackers.
The emergency updates from Apple cover various operating systems, including macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1. Apple acknowledges the potential active exploitation of these vulnerabilities in earlier versions of iOS before iOS 16.7.
Devices impacted by these zero-days span from iPhone 8 and later to iPad mini 5th generation and later, as well as Macs running macOS Monterey and newer, and Apple Watch Series 4 and later.
Bill Marczak from Citizen Lab at The University of Toronto’s Munk School and Maddie Stone from Google’s Threat Analysis Group discovered and reported all three zero-day vulnerabilities.
While Apple hasn’t provided detailed information on the attacks, it’s worth noting that zero-days like these have often been associated with targeted spyware campaigns against high-risk individuals, such as journalists, opposition politicians, and dissidents. In light of this, prompt patching and heightened cybersecurity measures are crucial for safeguarding affected devices.