Apple has swiftly issued crucial security updates in response to the exploitation of three fresh zero-day vulnerabilities. The vulnerabilities are being utilized in targeted attacks against iPhone and Mac users. This brings the total count of zero-day vulnerabilities resolved by Apple this year to 16.”
They are identified as CVE-2023-41993 within the WebKit browser engine and CVE-2023-41991 within the Security framework. These issues allow malicious actors to circumvent signature validation through nefarious applications or achieve arbitrary code execution by manipulating maliciously crafted webpages.
The third vulnerability, identified within the Kernel Framework, serves as the backbone for kernel extensions and kernel-resident device drivers. This flaw, denoted as CVE-2023-41992, presents a potential security risk that local attackers can exploit to escalate their privileges.
Apple addressed these three zero-day vulnerabilities in multiple operating systems; following are the products affected:
CVE-2023-41991 -> MacOS Ventura prior to 13.6
CVE-2023-41993 – Safari prior to 16.6.1
CVE-2023-41992 – MacOS Ventura prior to 13.6 and MacOS Monterey prior to 12.7
These critical security fixes primarily focused on resolving a certificate validation problem and implementing enhanced security checks.
The zero-day vulnerabilities were initially discovered and reported by Bill Marczak from Citizen Lab at the University of Toronto’s Munk School and Maddie Stone from Google’s Threat Analysis Group.
Apple has not disclosed how these vulnerabilities were used in real-world attacks.