Apple has addressed three new zero-day vulnerabilities exploited in attacks to hack into iPhones, Macs, and iPads.
"Apple is aware of a report that this issue may have been actively exploited," the company revealed in
security advisories describing the flaws.
The security bugs were all found in the multi-platform WebKit browser engine and are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
The first vulnerability is a sandbox escape that enables remote attackers to break out of Web Content sandboxes.
The other two are an out-of-bounds read that can help attackers gain access to sensitive information and a use-after-free issue that allows achieving arbitrary code execution on compromised devices, both after tricking the targets into loading maliciously crafted web pages (web content).
Apple addressed the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.
The list of impacted devices is quite extensive, as the bug affects older and newer models, and it includes:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later
- Apple TV 4K (all models) and Apple TV HD
The company also revealed that CVE-2023-28204 and CVE-2023-32373 (reported by anonymous researchers) were first addressed with the Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices issued on May 1.
