Apple Fixes Three New Zero-Days Exploited to Hack iPhones, Macs
Cyber Security Threat Summary:
Apple recently patched three new zero-day flaws which were exploited in attacks targeting vulnerable iPhones, Macs, and iPad. Tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, the vulnerabilities reside in the multi-platform WebKit browser engine.
“The first vulnerability is a sandbox escape that enables remote attackers to break out of Web Content sandboxes. The other two are an out-of-bounds read that can help attackers gain access to sensitive information and a use-after-free issue that allows achieving arbitrary code execution on compromised devices, both after tricking the targets into loading maliciously crafted web pages (web content)” (Bleeping Computer, 2023).
Below is the list of impacted devices:
Security Officer Comments:
Although Apple stated it is aware of attacks in the wild exploiting the flaws, the technical details have yet to be disclosed. This is usually the case as it will give users enough time to update their devices before actors create custom exploits. With the public disclose users should make sure to update their devices as soon as possible to prevent potential exploitation attempts.
Suggested Correction(s):
CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 were addressed in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5, with the vendor incorporating improved bounds checking. Organizations should ensure they are running the latest versions.
Link(s):
https://www.bleepingcomputer.com/