Apple has rolled out security enhancements to neutralise zero-day vulnerabilities exploited in cyber attacks against iPhones, Macs, and iPads.
In response to discovering a WebKit flaw identified as CVE-2023-37450, the company initiated a set of Rapid Security Response (RSR) updates this month. “Apple has received reports indicating potential active exploitation of this issue,” said the firm in a public advisory.
Today, Apple rectified another zero-day, a novel Kernel flaw identified as CVE-2023-38606, which had been exploited to target devices operating on older iOS versions. “We have received reports suggesting that versions of iOS released before iOS 15.7.1 may have been actively exploited due to this issue,” the company reported.
The exploitation on unpatched devices would enable attackers to alter sensitive kernel states. To remedy these two vulnerabilities, Apple incorporated enhanced state management and checks.
Kaspersky GReAT’s lead security researcher, Boris Larin, reported that CVE-2023-38606 was part of a zero-click exploit chain to implant Triangulation spyware on iPhones via iMessage exploits.
Additionally, the company applied retroactive security patches for a zero-day (CVE-2023-32409) addressed in May to devices using tvOS 16.6 and watchOS 9.6.
Apple countered the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 by improving memory management, input validation, and bounds checks.
An extensive list of devices was affected by the two zero-days rectified today, including various iPhone and iPad models and Macs operating on macOS Big Sur, Monterey, and Ventura.
So far this year, Apple has remedied 11 zero-day flaws that attackers have exploited to target iOS, macOS, and iPadOS devices.
Earlier this month, Apple issued unscheduled Rapid Security Response (RSR) updates to neutralise a bug (CVE-2023-37450) impacting fully-patched iPhones, Macs, and iPads. Subsequently, the firm acknowledged that the RSR updates interrupted web browsing on specific websites and released corrected versions of the defective patches two days later.
Before this, Apple addressed several other zero-days, including:
- Three in June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439)
- Another three in May (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373)
- Two more in April (CVE-2023-28206 and CVE-2023-28205)
- And a WebKit zero-day (CVE-2023-23529) in February