Apple emergency updates fix 3 new zero-days exploited in attacks


For a total of 16 zero-day vulnerabilities repaired this year, Apple delivered emergency security upgrades to patch three additional ones that were exploited in attacks against iPhone and Mac users. Apple addressed a certificate validation issue and strengthened checks to address the three zero-day flaws in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1.

As a result of two issues that were discovered in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991), attackers are now able to use malicious apps to get around signature validation or maliciously created websites to execute arbitrary code. The Kernel Framework, which offers APIs and support for kernel extensions and kernel-resident device drivers, was where the third one was discovered. This vulnerability (CVE-2023-41992) allows local attackers to gain elevated privileges.

Read More…