Today, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks.
The security bugs are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all found in the WebKit browser engine.
They allow attackers to escape the browser sandbox, access sensitive information on the compromised device, and achieve arbitrary code execution following successful exploitation.
“Apple is aware of a report that this issue may have been actively exploited,” the company said when describing the flaws.
The three zero-days were addressed in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.
The complete list of affected devices is quite extensive, and it includes the following:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and later
- Apple TV 4K (all models) and Apple TV HD
Likely exploited in state-backed spyware attacks
Although Apple has not provided specific details about the attacks in which the bugs have been abused, it did reveal that CVE-2023-32409 was reported by Clément Lecigne from Google’s Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International’s Security Lab.
The two researchers and their respective organizations frequently disclose information about state-sponsored campaigns that exploit zero-day vulnerabilities to install surveillance spyware on the devices of politicians, journalists, dissidents, and other individuals in highly-targeted attacks.
For instance, they disclosed in March details on two recent campaigns using complex exploit chains of Android, iOS, and Chrome flaws to install mercenary spyware, one of them a Samsung ASLR bypass flaw CISA warned about on Friday.
June 12th patch deadline
In accordance with the binding operational directive (BOD 22-01) issued in November 2022, Federal Civilian Executive Branch Agencies (FCEB) must apply patches to their systems for all security bugs listed in CISA’s Known Exploited Vulnerabilities catalog.
With today’s update, FCEB agencies are required to secure their iOS, iPadOS, and macOS devices by June 12th, 2023.
Although primarily targeted at U.S. federal agencies, it is strongly advised that private companies also give high priority to fixing vulnerabilities contained in the KEV list of bugs exploited in attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said on Monday.
In April, federal agencies were also warned to secure iPhones and Macs on their networks against another pair of iOS and macOS security flaws reported by Google TAG and Amnesty International security researchers.