Apple has launched one more spherical of safety patches to handle three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the whole tally of zero-day bugs found in its software program this yr to 16.
The checklist of safety vulnerabilities is as follows –
- CVE-2023-41991 – A certificates validation challenge within the Security framework that might permit a malicious app to bypass signature validation.
- CVE-2023-41992 – A safety flaw in Kernel that might permit an area attacker to raise their privileges.
- CVE-2023-41993 – A WebKit flaw that might lead to arbitrary code execution when processing specifically crafted net content material.
Apple didn’t present extra specifics barring an acknowledgement that the “challenge might have been actively exploited towards variations of iOS earlier than iOS 16.7.”
The updates can be found for the next units and working methods –
- iOS 16.7 and iPadOS 16.7 – iPhone 8 and later, iPad Pro (all fashions), iPad Air third technology and later, iPad fifth technology and later, and iPad mini fifth technology and later
- iOS 17.0.1 and iPadOS 17.0.1 – iPhone XS and later, iPad Pro 12.9-inch 2nd technology and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st technology and later, iPad Air third technology and later, iPad sixth technology and later, iPad mini fifth technology and later
- macOS Monterey 12.7 and macOS Ventura 13.6
- watchOS 9.6.3 and watchOS 10.0.1 – Apple Watch Series 4 and later
- Safari 16.6.1 – macOS Big Sur and macOS Monterey
Credited with discovering and reporting the shortcomings are Bill Marczak of the Citizen Lab on the University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group (TAG), indicating that they might have been abused as a part of highly-targeted spyware and adware aimed toward civil society members who’re at heightened danger of cyber threats.
The disclosure comes two weeks after Apple resolved two different actively exploited zero-days (CVE-2023-41061 and CVE-2023-41064) which have been chained as a part of a zero-click iMessage exploit chain named BLASTPASS to deploy a mercenary spyware and adware often called Pegasus.
This was adopted by each Google and Mozilla delivery fixes to include a safety flaw (CVE-2023-4863) that might lead to arbitrary code execution when processing a specifically crafted picture.
AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks
Ready to deal with new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to handle the rising risk of generative AI in cybersecurity.
There is proof to recommend that each CVE-2023-41064, a buffer overflow vulnerability in Apple’s Image I/O picture parsing framework, and CVE-2023-4863, a heap buffer overflow within the WebP picture library (libwebp), may discuss with the identical bug, in accordance with Isosceles founder and former Google Project Zero researcher Ben Hawkes.
Rezilion, in an evaluation printed Thursday, revealed that the libwebp library is utilized in a number of working methods, software program packages, Linux functions, and container pictures, highlighting that the scope of the vulnerability is far broader than initially assumed.
“The excellent news is that the bug appears to be patched appropriately within the upstream libwebp, and that patch is making its approach to in every single place it ought to go,” Hawkes mentioned. “The dangerous information is that libwebp is utilized in a whole lot of locations, and it might be some time till the patch reaches saturation.”