Apple has patched three zero-day vulnerabilities it claims may have been actively exploited in the wild on iOS devices.
CVE-2023-41991 is described as “a certificate validation issue” which has now been fixed in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6 and watchOS 10.0.1.
The vulnerability, which affects the Apple Security framework, could enable a malicious app to bypass signature validation, the tech giant revealed.
CVE-2023-41992 impacts the Apple kernel and was addressed with “improved checks” in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7 and watchOS 10.0.1.
Apple said “a local attacker may be able to elevate their privileges” by exploiting the vulnerability. Both of these CVEs are listed here.
Finally, CVE-2023-41993 affects the WebKit browser engine and was also fixed with “improved checks” in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, and Safari 16.6.1.
“Processing web content may lead to arbitrary code execution,” Apple said of the bug.
Read more on Apple zero-days: Apple Patches Two Zero-Days Exploited in the Wild
Interestingly, all three were found by Bill Marczak of the University of Toronto’s Citizen Lab and Maddie Stone of Google’s Threat Analysis Group.
Both have a track record of finding threats developed by commercial spyware makers and targeted at journalists, dissidents, rights groups and others.
Earlier this month, for example, Citizen Lab alerted Apple to two zero-day vulnerabilities being chained in a “BlastPass” exploit to deliver the notorious Pegasus spyware.
The vulnerabilities Citizen Lab in particular finds have often been researched by companies like NSO Group to deliver eavesdropping capabilities to their clients – usually government agencies.
However, their work is controversial. The US government has put several such companies on its entity list and a Presidential executive order earlier this year banned federal agencies from using any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.