Apple has released security updates for several products to address several serious vulnerabilities including some actively exploited zero-days.
Apple has released security updates for several products to address several serious vulnerabilities including some actively exploited zero-days. Updates are available for these products:
The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.
How to update your iPhone or iPad.
How to update macOS on Mac.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Some of the notable CVEs patched in these updates are:
CVE-2023-38606: A vulnerability in the kernel that may allow an app to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. The exploitation of this vulnerability took place as part of a 0-click exploit chain used to install spyware. These exploitation methods are named like that because they require no user interaction to compromise a device.
CVE-2023-32409: a vulnerability in the WebKit. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. A patch for this vulnerability was issued in May for iOS 16 and iPadOS 16, but is now also available for iOS 15.7.8 and iPadOS 15.7.8.
WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.
CVE-2023-37450: Another WebKit vulnerability where processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This vulnerability has been covered by a Rapid Security Response (RSR) earlier because Apple was aware of a report that this issue may have been actively exploited.
CVE-2023-32416: a vulnerability in the Find My app which could allow another app to read sensitive location information. This issue was addressed with improved restrictions.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.