Apple has fixed three zero-day vulnerabilities that have been used in attacks on iPhone, Mac, and iPad users. The bugs, identified as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, were found in the WebKit engine. The first vulnerability is a sandbox escape that allows remote attackers to escape web content sandboxes. The other two are an out-of-bounds read issue that allows access to sensitive information and a use-after-free bug that allows arbitrary code to be executed on compromised devices. Exploitation of all these problems requires the target to first download a malicious web page.
Apple has patched the 0-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. The list of affected devices is extensive and includes both old and new models of Apple gadgets, such as: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), iPhone 8 and later; iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; Macs running macOS Big Sur, Monterey, and Ventura; Apple Watch Series 4 and later; Apple TV 4K (all models) and Apple TV HD.
Apple reported that CVE-2023-28204 and CVE-2023-32373 were first fixed on May 1, using Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices. Although Apple warns that all the patched vulnerabilities are already exploited by hackers, the company did not provide any information about these attacks.
