Apple has released emergency security updates to fix three new zero-day vulnerabilities that were being exploited in attacks.
Two bugs were found in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991), enabling attackers to bypass signature validation using malicious apps or gain arbitrary code execution via maliciously crafted webpages.
The third one was found in the Kernel Framework, which provides APIs and support for kernel extensions and kernel-resident device drivers. Local attackers can exploit this flaw (CVE-2023-41992) to escalate privileges.
Apple says that it is aware of reports that the vulnerabilities were being actively exploited, but the company did not provide any further information about the attacks.
The security updates have been released for iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, macOS 12.7/13.6, and watchOS 9.6.3/10.0.1.
Apple is urging all users to update their devices as soon as possible.
What are zero-day vulnerabilities?
A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched.
An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
The term “zero-day” originally referred to the number of days since a new piece of software was released to the public, so “zero-day software” was obtained by hacking into a developer’s computer before release.
