Apple reveals some serious security bugs, so be on your guard

Three zero-days discovered being used in the wild

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Applehas announced it has fixed three zero-day vulnerabilities that various threat actors are using to target iPhones, Macs, and iPad devices.

In asecurity advisory, the company said all three flaws were found in its WebKit browser engine. WebKit is Apple’s browser engine best known for being the underlying technology in theSafariweb browser, as well as being used in all web browsers on iOS and iPadOS.

As such, WebKit is an attractive target for threat actors looking for vulnerabilities that can be used to grant access to the target endpoint.

No details

In this particular instance, Apple found flaws tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

One is a sandbox escape flaw, one an out-of-bounds read flaw that allows threat actors unabated access to sensitive information, and one a use-after-free vulnerability allowing for arbitrary code execution.

“Apple is aware of a report that this issue may have been actively exploited,” Apple’s security advisory reads. As usual, the details about the groups leveraging the flaw, or their modus operandi, were not disclosed, so as to not give other threat actors any ideas while consumers and businesses update their devices. Hence, we don’t know if any newmalwarewas found in the wild.

Apple declined the media’s request for additional comments.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Apple Safari patched to fix potentially dangerous zero-day flaws>Apple just patched a pair of dangerous iOS and macOS security issues, so update now>Here’s our list of the best firewalls around

The flaws were fixed in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5, the company confirmed.

Here is a full list of all affected devices:

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics