Apple Fixes 3 More Zero-Day Vulnerabilities

In an emergency security update, Apple has identified three zero-day vulnerabilities affecting iPhones and Mac products that are actively being exploited.

One vulnerability, tracked as CVE-2023-41992, is a flaw found in the Kernel Framework that threat actors can exploit to escalate privileges. Two of the other vulnerabilities, tracked as CVE-2023-41993 and CVE-2023-41991. are found in the WebKit browser engine and the Security Framework, respectively. Threat actors gain the ability to potentially "bypass signature validation" as well as "gain arbitrary code execution via maliciously crafted webpages" should they exploit these vulnerabilities, according to Apple's advisory.

Devices that are being impacted by these zero-days vary between older and more recent models of Apple products, including iPhone 8 and later; iPad mini 5th generation and later; any Mac running on macOS Monterey or later; and the Apple Watch Series 4 and later.

These issues have been fixed in iOS 16.7, iPadOS 16.7, OS 17.0.1, iPadOS 17.0.1, and Safari 16.6.1, and were first discovered and reported by Bill Marczak at Citizen Lab and Maddie Stone at Google's Threat Analysis Group. Citizen Lab typically keeps tabs on spyware cases, but so far there are no details available as to the nature of the in-the-wild exploits or attacks. 

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the National Vulnerability Database stated, though the extent to which they were exploited is unknown.