Apple has patched three newly discovered zero-day vulnerabilities that were being used in efforts to get into iOS devices including iPhones, iPads, and Macs. The vulnerabilities, which were recorded as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, were all discovered in the WebKit browser engine, which is used across several platforms. The first flaw is a sandbox escape, which gives remote attackers the ability to circumvent Web Content sandboxes and access the original content.
After deceiving the targets into loading deliberately created web pages (web content), the remaining two vulnerabilities include an out-of-bounds read that may assist attackers in gaining access to sensitive information and a use-after-free problem that can assist in obtaining arbitrary code execution on compromised devices. Both of these vulnerabilities can be exploited on compromised devices. In macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5, Apple updated bounds checks, input validation, and memory management to solve the three zero-day vulnerabilities.
The list of affected devices is rather large since the problem affects both earlier and more recent models. The following are some of the devices on the list:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Macs running macOS Big Sur, Monterey, and Ventura iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation Apple TV 4K (all models) and Apple TV HD Apple Watch Series 4 and subsequent models Apple TV 4K (all models).
Additionally, the business said that the vulnerabilities CVE-2023-28204 and CVE-2023-32373, which were discovered by unknown researchers, were fixed for the first time with the Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices, which were released on May 1.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.