overview
This week, Apple addressed and patched three critical zero-day vulnerabilities that pose a significant threat to all Apple product users, including iPad, Apple Watch, macOS, and iPhone devices. This brings the total number of zero-days fixed by Apple this year to 16.
CVE-2023-41991, found within the Security framework, can be exploited by a malicious application, allowing it to circumvent signature validation.
CVE-2023-41993, situated within the WebKit browser engine, may be triggered through the handling of specially crafted web content, potentially resulting in arbitrary code execution.
CVE-2023-41992 is found in the Kernel Framework. This vulnerability can be exploited by attackers to escalate privileges.
Impacted devices are as follows:
Apple has fixed the vulnerabilities in the following software versions:
Apple acknowledges that these vulnerabilities may have been actively exploited in versions of iOS prior to iOS 16.7, emphasizing the urgency of updating your devices. These vulnerabilities have the potential to facilitate the deployment of the NSO Group's Pegasus spyware.
To protect your devices and data, Avertium strongly recommends updating your Apple products immediately. Apple has released updates for iOS, iPadOS, macOS, watchOS, and Safari.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.SUPPORTING DOCUMENTATION