Apple has patched three newly discovered zero-day vulnerabilities through which threat actors were allegedly targeting iPhone and Mac users.
In multiple security advisories published on the Apple website, it was said that the flaws were found in the WebKit browser engine (CVE-2023-41993), the Security framework (CVE-2023-41991), and the Kernel framework (CVE-2023-41992). While the first two could be used by threat actors to run arbitrary code execution, the third one could be used to escalate privileges.
In other words, all three allow hackers to run malware on iPhone and Mac devices.
iOS and macOS flaws
The endpoints vulnerable to these flaws include iPhones 8 and newer, iPad mini 5th generation and newer, all Macs from macOS Monterey on, and all Apple Watch Series 4 and newer. To plug the holes, users should bring their macOS to version 12.7/13.6, iOS to version 16.7/17.0.1 iPadOS to version 16.7/17.0.1, and watchOS to version 9.6.3/10.0.1.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the security advisory reads. The vulnerabilities were discovered by Citizen Lab’s cybersecurity researcher Bill Marczak, and Google’s Threat Analysis Group’s (TAG) researcher Maddie Stone.
While the Cupertino giant is yet to disclose any details about the groups exploiting the flaws, as well as their targets, BleepignComputer reminds that TAG usually works on finding flaws used in targeted spyware attacks against high-profile organizations and individuals, including governments, journalists, human rights activists, dissidents, and similar.
In total, Apple fixed 16 zero-day flaws this year, including two in July, three in June, and three in May. In April, Apple fixed two more zero days, and in February, one. Most flaws were found in its browser engine.
More from TechRadar Pro
Here's a list of the best endpoint protection services
Looking for a good firewall? Here are the best firewalls right now