Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16.
The list of security vulnerabilities is as follows –
- CVE-2023-41991 – A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation.
- CVE-2023-41992 – A security flaw in Kernel that could allow a local attacker to elevate their privileges.
- CVE-2023-41993 – A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content.
Apple did not provide additional specifics barring an acknowledgement that the “issue may have been actively exploited against versions of iOS before iOS 16.7.”
The updates are available for the following devices and operating systems –
- iOS 16.7 and iPadOS 16.7 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iOS 17.0.1 and iPadOS 17.0.1 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
- macOS Monterey 12.7 and macOS Ventura 13.6
- watchOS 9.6.3 and watchOS 10.0.1 – Apple Watch Series 4 and later
- Safari 16.6.1 – macOS Big Sur and macOS Monterey
Credited with discovering and reporting the shortcomings are Bill Marczak of the Citizen Lab at the University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group (TAG), indicating that they may have been abused as part of highly-targeted spyware aimed at civil society members who are at heightened risk of cyber threats.
The disclosure comes two weeks after Apple resolved two other actively exploited zero-days (CVE-2023-41061 and CVE-2023-41064) that have been chained as part of a zero-click iMessage exploit chain named BLASTPASS to deploy a mercenary spyware known as Pegasus.
This was followed by both Google and Mozilla shipping fixes to contain a security flaw (CVE-2023-4863) that could result in arbitrary code execution when processing a specially crafted image.
There is evidence to suggest that both CVE-2023-41064, a buffer overflow vulnerability in Apple’s Image I/O image parsing framework, and CVE-2023-4863, a heap buffer overflow in the WebP image library (libwebp), could refer to the same bug, according to Isosceles founder and former Google Project Zero researcher Ben Hawkes.
Rezilion, in an analysis published Thursday, revealed that the libwebp library is used in several operating systems, software packages, Linux applications, and container images, highlighting that the scope of the vulnerability is much broader than initially assumed.
“The good news is that the bug seems to be patched correctly in the upstream libwebp, and that patch is making its way to everywhere it should go,” Hawkes said. “The bad news is that libwebp is used in a lot of places, and it could be a while until the patch reaches saturation.”