Apple Neutralizes Exploited Vulnerabilities: A Comprehensive Update

Reading Time: ( Word Count: )

July 25, 2023
Nextdoorsec-course

Apple has rolled out security enhancements to neutralise zero-day vulnerabilities exploited in cyber attacks against iPhones, Macs, and iPads.

In response to discovering a WebKit flaw identified as CVE-2023-37450, the company initiated a set of Rapid Security Response (RSR) updates this month. “Apple has received reports indicating potential active exploitation of this issue,” said the firm in a public advisory.

Today, Apple rectified another zero-day, a novel Kernel flaw identified as CVE-2023-38606, which had been exploited to target devices operating on older iOS versions. “We have received reports suggesting that versions of iOS released before iOS 15.7.1 may have been actively exploited due to this issue,” the company reported.

The exploitation on unpatched devices would enable attackers to alter sensitive kernel states. To remedy these two vulnerabilities, Apple incorporated enhanced state management and checks.

Apple Neutralizes Exploited Vulnerabilities

Kaspersky GReAT’s lead security researcher, Boris Larin, reported that CVE-2023-38606 was part of a zero-click exploit chain to implant Triangulation spyware on iPhones via iMessage exploits.

Also Read: “Unseen Risks: How the Stolen Microsoft Key Could Unlock More than Expected”

Additionally, the company applied retroactive security patches for a zero-day (CVE-2023-32409) addressed in May to devices using tvOS 16.6 and watchOS 9.6.

Apple countered the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 by improving memory management, input validation, and bounds checks.

An extensive list of devices was affected by the two zero-days rectified today, including various iPhone and iPad models and Macs operating on macOS Big Sur, Monterey, and Ventura.

So far this year, Apple has remedied 11 zero-day flaws that attackers have exploited to target iOS, macOS, and iPadOS devices.

Earlier this month, Apple issued unscheduled Rapid Security Response (RSR) updates to neutralise a bug (CVE-2023-37450) impacting fully-patched iPhones, Macs, and iPads. Subsequently, the firm acknowledged that the RSR updates interrupted web browsing on specific websites and released corrected versions of the defective patches two days later.

Before this, Apple addressed several other zero-days, including:

  • Three in June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439)
  • Another three in May (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373)
  • Two more in April (CVE-2023-28206 and CVE-2023-28205)
  • And a WebKit zero-day (CVE-2023-23529) in February
Saher Mahmood

Saher Mahmood

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *