Apple Issues Emergency Patches for Three 0-Day Vulnerabilities

Apple has released urgent patches to fix three new zero-day vulnerabilities that were already being exploited in attacks targeting iPhone and Mac users. With these updates, Apple has addressed a total of 16 zero-day vulnerabilities in its products in 2023.

All three vulnerabilities were discovered by experts from Citizen Lab and Google Threat Analysis Group. One issue was found in the WebKit browser engine (CVE-2023-41993), while another was in the Security Framework (CVE-2023-41991). These flaws allowed attackers to bypass signature verification using malicious apps and execute arbitrary code through specially crafted malicious web pages.

The third vulnerability (CVE-2023-41992) was identified in the Kernel Framework code, which provides APIs and support for kernel extensions and kernel-resident device drivers. Local attackers could exploit this bug to escalate privileges.

Apple has fixed these vulnerabilities in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1. The company warned that these vulnerabilities may have been actively exploited on iOS versions earlier than 16.7.

Affected Devices

• iPhone 8 and later
• iPad mini (5th generation and later)
• Mac computers running macOS Monterey and later
• Apple Watch Series 4 and later

While Apple has not yet released additional details about the exploitation of these vulnerabilities, analysts from Citizen Lab and Google Threat Analysis Group frequently report on zero-day bugs used by spyware in targeted attacks against journalists, opposition figures, and dissidents worldwide.

For example, earlier this month, Citizen Lab researchers warned that other zero-day vulnerabilities in Apple products were part of a zero-click exploit chain for iMessage, known as BLASTPASS. These exploits were used to deploy Pegasus spyware on fully patched iPhones.