CVE-2023-32409 is a sandbox evasion technique which allows attackers to escape protective boundaries and get further along in their attack efforts. CVE-2023-28204 is an out-of-bounds read which can give an attack access to information from protected areas of the OS. CVE-2023-32373 is a use-after-free vulnerability that can be leveraged for code execution by an attacker. Combined they allow for potential breach of a system when a user loads a malicious website crafted by an attacker.

The list of affected devices is long and includes iPhone6, 7, iPhone SE, iPad Air2, iPad mini, iPhone 8 and later. iPad Pro did not escape the list either nor did Apple Watch (series 4 and later) or Apple TV 4K and HD. for MacOS the list includes Big Sur, Monterey, and Ventura.

This batch makes six zero-day flaws that Apple have responded to since the start of 2023. This shows something that we have been saying for a while. Apple devices are not, and have never been, “secure” they are being targeted by attackers as the threat landscape changes. Because of past misleading statements and marketing campaigns, people have a false sense of security which leads to a greater risk of compromise. Happy patching.