Apple has addressed three new zero-day vulnerabilities exploited in attacks to hack into iPhones, Macs, and iPads.
"Apple is aware of a report that this issue may have been actively exploited," the company revealed in security advisories describing the flaws.
The security bugs were all found in the multi-platform WebKit browser engine and are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
The first vulnerability is a sandbox escape that enables remote attackers to break out of Web Content sandboxes.
The other two are an out-of-bounds read that can help attackers gain access to sensitive information and a use-after-free issue that allows achieving arbitrary code execution on compromised devices, both after tricking the targets into loading maliciously crafted web pages (web content).
Apple addressed the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.
The list of impacted devices is quite extensive, as the bug affects older and newer models, and it includes:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later
- Apple TV 4K (all models) and Apple TV HD
The company also revealed that CVE-2023-28204 and CVE-2023-32373 (reported by anonymous researchers) were first addressed with the Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices issued on May 1.
An Apple spokesperson did not reply to a request for more details when contacted by BleepingComputer at the time regarding what flaws were fixed with the May RSR updates.
Six zero-days patched since the start of 2023
While Apple says it's aware that the three zero-days patched today are under exploitation, it didn't share any information regarding these attacks.
However, today's advisories reveal that CVE-2023-32409 has been reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab.
The organizations the two researchers are part of regularly disclose details on state-backed campaigns exploiting zero-day bugs to deploy mercenary spyware on the smartphones and computers of politicians, journalists, dissidents, and more.
In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) part of in-the-wild exploit chains of Android, iOS, and Chrome zero-day and n-day vulnerabilities, abused to deploy commercial spyware on the devices of high-risk targets worldwide.
In February, Apple addressed one more WebKit zero-day (CVE-2023-23529) exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs.