Apple discloses three zero-day vulnerabilities

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Apple has disclosed three zero-day vulnerabilities which, at the time of writing, have possibly been exploited in the wild. The security flaws all relate to the WebKit browser engine and are tracked as follows:

– CVE-2023-32409

– CVE-2023-28204

– CVE-2023-32373

Impact

– Successful exploitation of CVE-2023-32409 allows remote threat actors to escape Web Content sandboxes.

– Successful exploitation of CVE-2023-28204 or CVE-2023-32373 could allow threat actors to gain access to sensitive data and the ability to execute arbitrary code on compromised devices.

The exploitation of the above vulnerabilities could lead to the compromise of the integrity of sensitive date contained within vulnerable devices.

Vulnerability Detection

Apple has released security updates with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploit.

Affected Products

– iPhone 6s

– iPhone 7

– iPhone SE (1st generation)

– iPad Air 2

– iPad mini (4th generation)

– iPod touch (7th generation)

– iPhone 8 and later

– iPad Pro (all models)

– iPad Air 3rd generation and later

– iPad 5th generation and later

– iPad mini 5th generation and later

– Mac devices operating macOS Big Sur, Monterey, and Ventura

– Apple Watch Series 4 and later

– Apple TV 4K (all models) and Apple TV HD

Containment, Mitigations & Remediations

It is strongly recommended that Apple users apply the relevant product updates as soon as possible. The vulnerabilities were addressed in the following updates:

– macOS Ventura 13.4

– iOS and iPadOS 16.5

– tvOS 16.5

– watchOS 9.5

– Safari 16.5

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Apple occupies a significant portion of the smart device and PC market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Apple products have become a prime target. Due to the fact that smart devices and PCs have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within these systems in an attempt to extract the sensitive information contained therein.

The zero-day flaws reported on have surfaced following three additional zero-day vulnerabilities relating to Apple products that have emerged since February 2023, namely:

– CVE-2023-28206

– CVE-2023-28205

– CVE-2023-23529

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic: Execution:

– TA0002 – Execution

Further Information

Apple Advisory