- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Apple Patches Three Actively Exploited Zero-Days
Apple has patched three zero-day vulnerabilities it claims may have been actively exploited in the wild on iOS devices.
CVE-2023-41991 is described as “a certificate validation issue” which has now been fixed in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6 and watchOS 10.0.1.
The vulnerability, which affects the Apple Security framework, could enable a malicious app to bypass signature validation, the tech giant revealed.
CVE-2023-41992 impacts the Apple kernel and was addressed with “improved checks” in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7 and watchOS 10.0.1.
Apple said “a local attacker may be able to elevate their privileges” by exploiting the vulnerability. Both of these CVEs are listed here.
Finally, CVE-2023-41993 affects the WebKit browser engine and was also fixed with “improved checks” in iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, and Safari 16.6.1.
“Processing web content may lead to arbitrary code execution,” Apple said of the bug.
Read more on Apple zero-days: Apple Patches Two Zero-Days Exploited in the Wild
Interestingly, all three were found by Bill Marczak of the University of Toronto’s Citizen Lab and Maddie Stone of Google’s Threat Analysis Group.
Both have a track record of finding threats developed by commercial spyware makers and targeted at journalists, dissidents, rights groups and others.
Earlier this month, for example, Citizen Lab alerted Apple to two zero-day vulnerabilities being chained in a “BlastPass” exploit to deliver the notorious Pegasus spyware.
The vulnerabilities Citizen Lab in particular finds have often been researched by companies like NSO Group to deliver eavesdropping capabilities to their clients – usually government agencies.
However, their work is controversial. The US government has put several such companies on its entity list and a Presidential executive order earlier this year banned federal agencies from using any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.