Apple Fixes 3 More Zero-Day Vulnerabilities

All of the security bugs are under active attacks, but the extent of their exploitation is unknown.

Dark Reading Staff, Dark Reading

September 22, 2023

1 Min Read
The front of an Apple store
Source: Fazon1 via iStock

In an emergency security update, Apple has identified three zero-day vulnerabilities affecting iPhones and Mac products that are actively being exploited.

One vulnerability, tracked as CVE-2023-41992, is a flaw found in the Kernel Framework that threat actors can exploit to escalate privileges. Two of the other vulnerabilities, tracked as CVE-2023-41993 and CVE-2023-41991. are found in the WebKit browser engine and the Security Framework, respectively. Threat actors gain the ability to potentially "bypass signature validation" as well as "gain arbitrary code execution via maliciously crafted webpages" should they exploit these vulnerabilities, according to Apple's advisory.

Devices that are being impacted by these zero-days vary between older and more recent models of Apple products, including iPhone 8 and later; iPad mini 5th generation and later; any Mac running on macOS Monterey or later; and the Apple Watch Series 4 and later.

These issues have been fixed in iOS 16.7, iPadOS 16.7, OS 17.0.1, iPadOS 17.0.1, and Safari 16.6.1, and were first discovered and reported by Bill Marczak at Citizen Lab and Maddie Stone at Google's Threat Analysis Group. Citizen Lab typically keeps tabs on spyware cases, but so far there are no details available as to the nature of the in-the-wild exploits or attacks. 

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the National Vulnerability Database stated, though the extent to which they were exploited is unknown.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights