Apple has released an emergency software update that addresses three zero-day vulnerabilities that have been actively exploited by attackers. The bugs affected the Safari browser as well as software platforms for Apple Watch, iPhone, iPad and Mac computers.
The first vulnerability is assigned a number CVE-2023-41991 — It is connected and enabled with the Security Framework tools “Bypass signature verification”. The second, after the number CVE-2023-41992is a vulnerability in the Kernel Framework that can be used to escalate privileges on the system. Finally the third CVE-2023-41993is located in the WebKit browser engine and enables “Execute arbitrary code through malicious sites”.
The vulnerabilities affected a variety of Apple devices: iPhone 8 and all later models; iPad mini 5th generation and later; Smartwatches from Apple Watch Series 4; and Mac computers running macOS Monterey and later. Software bugs are addressed in updates to iOS 16.7, iOS 17.0.1, iPadOS 16.7, iPadOS 17.0.1, macOS Monterey 12.7, macOS Ventura 13.6, watchOS 9.6.3, watchOS 10.0.1, and Safari 16.6.1.
The vulnerabilities in Apple’s software were discovered by Bill Marczak of the Citizen Lab at the University of Toronto (Canada) and Maddie Stone of the Threat Analysis Group at Google.