Flash Notice: Apple Patches Three Critical Zero-Day Vulnerabilities

overview

This week, Apple addressed and patched three critical zero-day vulnerabilities that pose a significant threat to all Apple product users, including iPad, Apple Watch, macOS, and iPhone devices. This brings the total number of zero-days fixed by Apple this year to 16. 

THE VULNERABILITIES

CVE-2023-41991, found within the Security framework, can be exploited by a malicious application, allowing it to circumvent signature validation.  

CVE-2023-41993, situated within the WebKit browser engine, may be triggered through the handling of specially crafted web content, potentially resulting in arbitrary code execution. 

CVE-2023-41992 is found in the Kernel Framework. This vulnerability can be exploited by attackers to escalate privileges. 

Impacted devices are as follows:  

• iPhone 8 and later 
• iPad mini 5th generation and later 
• Macs running macOS Monterey and newer 
• Apple Watch Series 4 and later 

Apple has fixed the vulnerabilities in the following software versions: 

• macOS 12.7/13.6 
• iOS 16.7/17.0.1 
• iPadOS 16.7/17.0.1 
• watchOS 9.6.3/10.0.1 

Apple acknowledges that these vulnerabilities may have been actively exploited in versions of iOS prior to iOS 16.7, emphasizing the urgency of updating your devices. These vulnerabilities have the potential to facilitate the deployment of the NSO Group's Pegasus spyware.  

To protect your devices and data, Avertium strongly recommends updating your Apple products immediately. Apple has released updates for iOS, iPadOS, macOS, watchOS, and Safari.  

avertium's recommendationS

• macOS 12.7/13.6 
• iOS 16.7/17.0.1 
• iPadOS 16.7/17.0.1 
• watchOS 9.6.3/10.0.1 

INDICATORS OF COMPROMISE (IoCs)

How Avertium is Protecting Our CUSTOMERS

SUPPORTING DOCUMENTATION