News for those who keep their finger on the pulse.
Apple has released emergency security updates to address three new zero-day vulnerabilities that were exploited in attacks on iPhone and Mac users. This year, the company has already fixed 16 such vulnerabilities.
Two bugs were found in the WebKit browser engine (CVE-2023-41993) and in the Security framework (CVE-2023-41991). These vulnerabilities allowed attackers to bypass signature verification using malicious applications or execute arbitrary code through specially created web pages. The third vulnerability was found in the Kernel Framework, which provides an API and support for kernel extensions and device drivers. Local attackers can use this flaw (CVE-2023-41992) to escalate privileges.
Apple fixed all three vulnerabilities in macOS 12.7 / 13.6, iOS 16.7 / 17.0.1, iPadOS 16.7 / 17.0.1, and watchOS 9.6.3 / 10.0.1 by addressing the issue with certificate verification and implementing improved checks.
According to the company, it is known about cases of active use of this vulnerability in iOS versions up to iOS 16.7. The list of affected devices includes old and new models, including iPhone 8 and later, iPad mini 5th generation and later, Macs with macOS Monterey and later, as well as Apple Watch Series 4 and later ones.
All three vulnerabilities were discovered and reported by Bill Marczak of the Citizen Lab at the University of Toronto and Maddie Stone of Google's Threat Analysis Group.
Citizen Lab and Google Threat Analysis Group previously disclosed zero-day vulnerabilities that were used in targeted spying attacks on high-risk individuals, including journalists, opposition politicians, and dissidents.
Citizen Lab also disclosed two other vulnerabilities (CVE-2023-41061 and CVE-2023-41064) that Apple fixed in emergency security updates earlier this month. These vulnerabilities were used as part of the clickless exploit chain ( BLASTPASS ) to infect fully updated iPhones with NSO Group's Pegasus spyware.
Apple has released emergency security updates to address three new zero-day vulnerabilities that were exploited in attacks on iPhone and Mac users. This year, the company has already fixed 16 such vulnerabilities.
Two bugs were found in the WebKit browser engine (CVE-2023-41993) and in the Security framework (CVE-2023-41991). These vulnerabilities allowed attackers to bypass signature verification using malicious applications or execute arbitrary code through specially created web pages. The third vulnerability was found in the Kernel Framework, which provides an API and support for kernel extensions and device drivers. Local attackers can use this flaw (CVE-2023-41992) to escalate privileges.
Apple fixed all three vulnerabilities in macOS 12.7 / 13.6, iOS 16.7 / 17.0.1, iPadOS 16.7 / 17.0.1, and watchOS 9.6.3 / 10.0.1 by addressing the issue with certificate verification and implementing improved checks.
According to the company, it is known about cases of active use of this vulnerability in iOS versions up to iOS 16.7. The list of affected devices includes old and new models, including iPhone 8 and later, iPad mini 5th generation and later, Macs with macOS Monterey and later, as well as Apple Watch Series 4 and later ones.
All three vulnerabilities were discovered and reported by Bill Marczak of the Citizen Lab at the University of Toronto and Maddie Stone of Google's Threat Analysis Group.
Citizen Lab and Google Threat Analysis Group previously disclosed zero-day vulnerabilities that were used in targeted spying attacks on high-risk individuals, including journalists, opposition politicians, and dissidents.
Citizen Lab also disclosed two other vulnerabilities (CVE-2023-41061 and CVE-2023-41064) that Apple fixed in emergency security updates earlier this month. These vulnerabilities were used as part of the clickless exploit chain ( BLASTPASS ) to infect fully updated iPhones with NSO Group's Pegasus spyware.
