Emergency update! Apple patches three zero-days

Apple has released security updates for several products to address a handful of zero-day vulnerabilities that may already have been used by criminals. Updates are available for:

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

  • CVE-2023-41991, a certificate validation issue that could allow a malicious app to bypass signature validation.
  • CVE-2023-41992, a flaw that could be used by a local attacker to elevate their privileges.
  • CVE-2023-41993, a problem with processing web content that could be used for arbitrary code execution.

Apple states says that all these vulnerabilities may have been actively exploited against versions of iOS before iOS 16.7.

It’s important to note that CVE-2023-41993 is a vulnerability in WebKit. WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

All three vulnerabilities were credited to the same researchers—Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School, and Maddie Stone of Google’s Threat Analysis Group. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security. It is renowned for its research of the use of spyware against journalists, activists, and dissidents.

About two weeks ago, we reported about two Apple issues that were added by CISA to its catalog of known exploited vulnerabilities. Those vulnerabilities were also discovered as zero-days by CitizenLab. Together, these two vulnerabilities were found to be used in an attack chain dubbed BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim and was reportedly used by the NSO Group to deliver the Pegasus spyware.

It is not hard to see how these three new vulnerabilities could be used to compromise a device just by viewing specially crafted malicious web content, so it’s highly recommended to install these updates at your earliest convenience, especially iPhone users with a high profile threat model.


We don’t just report on iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.