- I opened up a cheap 600W charger to test its build, and found 'goo' inside
- How to negotiate like a pro: 4 secrets to success
- One of the cheapest Android tablets I've ever tested replaced my iPad with no sweat
- I use this cheap Android tablet more than my iPad Pro - and don't regret it
- The LG soundbar made my home audio sound like a theater - even though it's not the newest model
Apple Patches Three Actively Exploited Zero-Days
Apple has patched three zero-day vulnerabilities it claims may have been actively exploited in the wild on iOS devices.
CVE-2023-41991 is described as “a certificate validation issue” which has now been fixed in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6 and watchOS 10.0.1.
The vulnerability, which affects the Apple Security framework, could enable a malicious app to bypass signature validation, the tech giant revealed.
CVE-2023-41992 impacts the Apple kernel and was addressed with “improved checks” in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7 and watchOS 10.0.1.
Apple said “a local attacker may be able to elevate their privileges” by exploiting the vulnerability. Both of these CVEs are listed here.
Finally, CVE-2023-41993 affects the WebKit browser engine and was also fixed with “improved checks” in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, and Safari 16.6.1.
“Processing web content may lead to arbitrary code execution,” Apple said of the bug.
Read more on Apple zero-days: Apple Patches Two Zero-Days Exploited in the Wild
Interestingly, all three were found by Bill Marczak of the University of Toronto’s Citizen Lab and Maddie Stone of Google’s Threat Analysis Group.
Both have a track record of finding threats developed by commercial spyware makers and targeted at journalists, dissidents, rights groups and others.
Earlier this month, for example, Citizen Lab alerted Apple to two zero-day vulnerabilities being chained in a “BlastPass” exploit to deliver the notorious Pegasus spyware.
The vulnerabilities Citizen Lab in particular finds have often been researched by companies like NSO Group to deliver eavesdropping capabilities to their clients – usually government agencies.
However, their work is controversial. The US government has put several such companies on its entity list and a Presidential executive order earlier this year banned federal agencies from using any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.
