Apple releases fixes for three zero-day exploits in Macs, iPhones

Apple released a slew of security updates on May 18, three of which are for zero-day vulnerabilities in a number of its popular devices.

Not much has been released about the vulnerabilities, but the update said that “Apple is aware of a report that this issue may have been actively exploited.”

The first bug, tracked as CVE-2023-32409, can allow a remote attacker to break out of the Web Content sandbox; the second vulnerability, CVE-2023-28204, may disclose sensitive information; while the third vulnerability, CVE-2023-32373, may lead to arbitrary code execution while processing maliciously crafted web content.

The security vulnerabilities were all found and addressed in the WebKit for several models of iPhones (iOS 16.5, which runs on iPhone 8 and later), iPads (iPadOS 16.5, which runs on iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later), Macs (Ventura 13.4, Big Sur 11.7.7 and Monterey 12.6.6), Apple Watches (Series 4 and later) and Apple TV (tvOS 16.5), as well as Safari 16.5 for macOS Big Sur and Monterey). 

Also affected are all models using iOS 15.7.6 and iPadOS 15.7.6, which include iPhone 6, iPhone 7, iPhone SE, iPad Air 2, iPad mini (4th generation, and iPod touch (7th generation).

There have been a number of zero-day vulnerabilities targeting Apple products recently, with the most recent patch coming in April for two zero-day vulnerabilities, which the Cybersecurity and Infrastructure Security Agency added to its Known Exploited Vulnerabilities (KEV) catalog.

The security community also learned in April of three more zero-click exploits targeting iOS devices from the notorious NSO Group, makers of the Pegusus spyware.