Friday, 19 May 2023 13:57

Apple Pushes Out Patches for Three Zero-Day Vulnerabilities Exploited in the Wild

Written by

Reading time is around minutes.

Apple has rushed to release patches for CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 all of which are in the WebKit Browser engine and across all Apple platforms (IOS, IpadOS and macOS). These three flaws have also been seen to be actively exploited in the wild. This increases the significance of them and should be remediated as soon as possible by applying any available patches.

CVE-2023-32409 is a sandbox evasion technique which allows attackers to escape protective boundaries and get further along in their attack efforts. CVE-2023-28204 is an out-of-bounds read which can give an attack access to information from protected areas of the OS. CVE-2023-32373 is a use-after-free vulnerability that can be leveraged for code execution by an attacker. Combined they allow for potential breach of a system when a user loads a malicious website crafted by an attacker.

The list of affected devices is long and includes iPhone6, 7, iPhone SE, iPad Air2, iPad mini, iPhone 8 and later. iPad Pro did not escape the list either nor did Apple Watch (series 4 and later) or Apple TV 4K and HD. for MacOS the list includes Big Sur, Monterey, and Ventura.

This batch makes six zero-day flaws that Apple have responded to since the start of 2023. This shows something that we have been saying for a while. Apple devices are not, and have never been, “secure” they are being targeted by attackers as the threat landscape changes. Because of past misleading statements and marketing campaigns, people have a false sense of security which leads to a greater risk of compromise. Happy patching.

Read 1352 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.