{"id":1260,"date":"2023-05-19T14:29:14","date_gmt":"2023-05-19T13:29:14","guid":{"rendered":"https:\/\/zerothcode.com\/blog\/?p=1260"},"modified":"2023-05-19T14:29:14","modified_gmt":"2023-05-19T13:29:14","slug":"apple-patch-apple-issues-emergency-patches-zero-day-vulnerabilities","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/apple-patch-apple-issues-emergency-patches-zero-day-vulnerabilities\/","title":{"rendered":"WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities"},"content":{"rendered":"<p>apple-patch Apple on Thursday <a href=\"https:\/\/support.apple.com\/en-us\/HT201222\" target=\"_blank\" rel=\"noopener\">rolled out security updates<\/a> to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. apple-patch<\/p>\n<p>The three security shortcomings are listed below &#8211; apple-patch<\/p>\n<ul>\n<li><strong>CVE-2023-32409<\/strong> &#8211; A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks.<\/li>\n<li><strong>CVE-2023-28204<\/strong>\u00a0&#8211; An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation.<\/li>\n<li><strong>CVE-2023-32373<\/strong>\u00a0&#8211; A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management.<\/li>\n<\/ul>\n<p>The iPhone maker credited Cl\u00e9ment Lecigne of Google&#8217;s Threat Analysis Group (TAG) and Donncha \u00d3 Cearbhaill of Amnesty International&#8217;s Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting the other two issues. apple-patch<\/p>\n<p>It&#8217;s worth noting that both CVE-2023-28204 and CVE-2023-32373 were patched as part of\u00a0<a href=\"https:\/\/support.apple.com\/en-us\/HT201224\" target=\"_blank\" rel=\"noopener\">Rapid Security Response updates<\/a>\u00a0\u2013 iOS 16.4.1 (a) and iPadOS 16.4.1 (a) \u2013 the company released at the start of the month.apple-patch<\/p>\n<p>There are currently no additional technical specifics about the flaws, the nature of the attacks, or the identity of the threat actors that may be exploiting them. apple-patch<\/p>\n<p>That said, such weaknesses have been historically leveraged as part of\u00a0highly-targeted\u00a0intrusions\u00a0to deploy mercenary spyware on the devices of dissidents, journalists, and human rights activists, among others.apple-patch<\/p>\n<p>The latest updates are available for the following devices and operating systems -apple-patch<\/p>\n<ul>\n<li><strong>iOS 16.5 and iPadOS 16.5<\/strong>\u00a0&#8211; iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later<\/li>\n<li><strong>iOS 15.7.6 and iPadOS 15.7.6<\/strong>\u00a0&#8211; iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)<\/li>\n<li><strong>macOS Ventura 13.4<\/strong>\u00a0&#8211; macOS Ventura<\/li>\n<li><strong>tvOS 16.5<\/strong>\u00a0&#8211; Apple TV 4K (all models) and Apple TV HD<\/li>\n<li><strong>watchOS 9.5<\/strong>\u00a0&#8211; Apple Watch Series 4 and later<\/li>\n<li><strong>Safari 16.5<\/strong>\u00a0&#8211; macOS Big Sur and macOS Monterey<\/li>\n<\/ul>\n<p>Apple has so far remediated a total of six actively exploited zero-days since the start of 2023. Earlier this <a href=\"https:\/\/zerothcode.com\/blog\/cracking-the-2fa\/\">February<\/a>, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution. apple-patch<\/p>\n<p>Then last month, it shipped fixes for a pair of vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Lecigne and \u00d3 Cearbhaill were credited with reporting the security defects. apple-patch<\/p>\n<p>&nbsp;<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"gkSdxjVlZD\"><p><a href=\"https:\/\/zerothcode.com\/blog\/apple-removes-macos-macos-security\/\">Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security&#8221; &#8212; ZEROTHCODE\" src=\"https:\/\/zerothcode.com\/blog\/apple-removes-macos-macos-security\/embed\/#?secret=N546nTAZOk#?secret=gkSdxjVlZD\" data-secret=\"gkSdxjVlZD\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>apple-patch Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to<\/p>\n","protected":false},"author":1,"featured_media":1261,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[303,636,292,321,260],"class_list":["post-1260","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=1260"}],"version-history":[{"count":1,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1260\/revisions"}],"predecessor-version":[{"id":1262,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1260\/revisions\/1262"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1261"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=1260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=1260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=1260"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}