In response to the discovery of three zero-day vulnerabilities in Apple devices, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to take immediate action. The flaws, designated as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, were found in the WebKit browser engine and were being actively exploited by attackers.
The vulnerabilities allowed for the bypassing of browser security measures, unauthorized access to sensitive data, and the execution of arbitrary code on compromised devices. Apple released updates to address these issues in its various operating systems and Safari browser.
The affected devices include numerous iPhone, iPad, Mac, Apple Watch, and Apple TV models. While specific details about the attacks have not been disclosed, Apple acknowledged the involvement of Clément Lecigne from Google's Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International's Security Lab in reporting one of the flaws. These organizations often reveal state-sponsored campaigns that exploit zero-day vulnerabilities for targeted surveillance purposes. In line with a binding operational directive, federal agencies must apply patches by June 12th, 2023, to protect their systems from these vulnerabilities.
Private companies are also advised to address the flaws promptly, as they pose significant risks to their networks and systems. This incident follows a previous warning in April, where federal agencies were urged to secure iPhones and Macs against similar security flaws reported by Google TAG and Amnesty International researchers.
Aaron Sandeen, CEO and co-founder, Securin weighed in on the security vulnerabilities and the challenges that come with manual patching:
“Securin has been documenting and closely monitoring software vulnerabilities and developments since 2020. The bugs CISA is urging Apple users to patch are arbitrary code execution vulnerabilities that essentially grant attackers complete access to the device to manipulate as they see fit. This exposes Apple users to a host of attacks such as ransomware, data exfiltration, or data destruction. Apple’s response to this type of vulnerability was near perfect — acknowledge the problem immediately, and more importantly address it quickly in the form of a security patch. However, that’s the easy part. Now the hard part is getting people to install the update.
As Securin has found, while many vendors do publish security patches, many users simply fail to update their devices leading to a security exploitation. My advice for consumers is, if you currently own any Apple product, consider manually updating your device this second. For organizations, set up automatic updates for company hardware and consider scheduling regular pen tests on your organization’s networks to stay ahead of zero-day vulnerabilities and encourage early detection.”
###