Zero-Day

Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16.

The list of security vulnerabilities is as follows -

  • CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation.
  • CVE-2023-41992 - A security flaw in Kernel that could allow a local attacker to elevate their privileges.
  • CVE-2023-41993 - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content.

Apple did not provide additional specifics barring an acknowledgement that the "issue may have been actively exploited against versions of iOS before iOS 16.7."

Cybersecurity

The updates are available for the following devices and operating systems -

Credited with discovering and reporting the shortcomings are Bill Marczak of the Citizen Lab at the University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group (TAG), indicating that they may have been abused as part of highly-targeted spyware aimed at civil society members who are at heightened risk of cyber threats.

The disclosure comes two weeks after Apple resolved two other actively exploited zero-days (CVE-2023-41061 and CVE-2023-41064) that have been chained as part of a zero-click iMessage exploit chain named BLASTPASS to deploy a mercenary spyware known as Pegasus.

This was followed by both Google and Mozilla shipping fixes to contain a security flaw (CVE-2023-4863) that could result in arbitrary code execution when processing a specially crafted image.

Cybersecurity

There is evidence to suggest that both CVE-2023-41064, a buffer overflow vulnerability in the Apple's Image I/O image parsing framework, and CVE-2023-4863, a heap buffer overflow in the WebP image library (libwebp), could refer to the same bug, according to Isosceles founder and former Google Project Zero researcher Ben Hawkes.

Rezilion, in an analysis published Thursday, revealed that the libwebp library is used in several operating systems, software packages, Linux applications, and container images, highlighting that the scope of the vulnerability is much broader than initially assumed.

"The good news is that the bug seems to be patched correctly in the upstream libwebp, and that patch is making its way to everywhere it should go," Hawkes said. "The bad news is that libwebp is used in a lot of places, and it could be a while until the patch reaches saturation."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.