The latest software updates released by Apple for macOS, iOS, iPadOS, Safari, tvOS, and watchOS contain patches for three zero-day vulnerabilities that are known to be actively exploited in attacks. These vulnerabilities exist within the WebKit browser engine used by Safari, and other macOS and iOS applications. Currently the CVE information about these vulnerabilities is limited and no CVSS scores have been published yet on the NIST National Vulnerability Database.
The first vulnerability tracked as CVE-2023-32409 can be exploited by a remote attacker to allow them to break out of the WebContent sandbox. This has been resolved in the recent updates with improved bounds checking. The other two zero-day flaws were first resolved in the new Rapid Security Response system updates, in macOS 13.3.1, iOS 16.4.1, and iPadOS 16.4.1, which were released at the start of the month. CVE-2023-28204, is an out-of-bounds read vulnerability, that attackers can exploit through the issues processing web content which can lead to disclosure of sensitive information. The latest updates have resolved this through improved input validation. The final actively exploited flaw patched is a use-after-free vulnerability tracked as CVE-2023-32373. Attackers can exploit this flaw by sending malicious web content to the vulnerable WebKit for processing, which can then lead to arbitrary code execution. Improved memory management resolves this issue in the new updates.
The fixed software versions include iOS 16.5 and iPadOS 16.5, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, macOS Ventura 13.4, tvOS 16.5, and watchOS 9.5. Apple security updates were also released for macOS Big Sur 11.7.7 and macOS Monterey 12.6.6 on the same day, however these updates do not contain patches for these zero-day flaws. These macOS updates do still contain patches for a number of identified security risks including vulnerabilities with associated CVE-IDs, so these updates should still be applied by users of these systems. A full list of the most recent security updates can be found on Apple’s website.