Apple fixes three new zero-day exploits for cracking iPhone, Mac

The Bleeping Computer website has disclosed that security researchers have discovered three zero-day vulnerabilities in the WebKit browser engine, tracked as CVE-2023-32409, CVE-2023-28204 and CVE-2023-3 2373. A cyber attacker could exploit these vulnerabilities to launch a cyber attack campaign against iPhone, Mac, and iPad.

Vulnerability Details

A cyber attacker could exploit the three vulnerabilities to compromise a user's device to access sensitive user information, or even trick a victim target into loading a maliciously crafted web page (web content) to execute arbitrary code on the compromised device. After receiving feedback on the vulnerabilities, Apple addressed the vulnerabilities by improving boundary checking, input validation and memory management.

It is reported that macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 are affected by the vulnerability. Specific affected models include:

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (first generation); iPad Air 2, iPad mini (fourth generation), iPod touch (seventh generation), and iPhone 8 and later;

iPad Pro (all models), iPad Air third generation and later, iPad fifth generation and later, iPad mini fifth generation and later;

Mac computers running macOS Big Sur, Monterey and Ventura;

Apple Watch Series 4 and later;

Apple TV 4K (all models) and Apple TV HD.

Apple said it has internal knowledge of three zero-day vulnerabilities that are being actively exploited in the wild. The Rapid Security Response (RSR) patch for iOS 16.4.1 and macOS 13.3.1 devices, released May 1, addresses both vulnerabilities, CVE-2023-28204 and CVE-2023-32373.

CVE-2023-32409 was discovered and reported by Clément Lecigne, a member of Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a member of Amnesty International's Security Lab. The organizations to which the two researchers belong regularly disclose hacking activities with a national background, in which cybercriminals use zero-day vulnerabilities to deploy spyware on the smartphones and computers of politicians, journalists, dissidents and others.

Apple Fixes Multiple Zero-Days in 2023

Apple has suffered multiple security vulnerabilities going into 2023.

In February, Apple addressed a WebKit zero-day (CVE-2023-23529) that could be used by attackers to execute code on vulnerable iPhones, iPads and Macs. In April, Apple fixed two zero-day vulnerabilities, CVE-2023-28206 and CVE-2023-20205, which could be exploited by an attacker to deploy commercial spyware on a targeted device.