CISA Urges Deployment Of Patches For Three Apple Device Vulnerabilities
The federal cybersecurity agency says the bugs affecting iPhones, Macs and iPads are seeing active exploitation by threat actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday it’s advising the deployment of Apple updates for three actively exploited vulnerabilities impacting iPhone, Mac and iPad devices.
On Thursday, Apple released iOS 16.5, macOS Ventura 13.4 and iPadOS 16.5 in response to the discoveries of the vulnerabilities.
[Related: CISA Director Jen Easterly: Software Vendors ‘Should Own The Security Outcomes For Their Customers’]
CISA said in a post that it has seen “evidence of active exploitation” for the three vulnerabilities that affect WebKit, an open-source web browser engine that’s leveraged by Apple for its device operating systems.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the agency said in the post.
The vulnerabilities consist of a sandbox escape bug (tracked at CVE-2023-32409), an out-of-bounds read vulnerability (CVE-2023-28204) and a use-after-free bug (CVE-2023-32373).
CISA ordered federal agencies to update affected devices by June 12 with the latest versions of iOS, macOS and iPadOS.
While the order only applies to Federal Civilian Executive Branch agencies, “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation” of actively exploited vulnerabilities such as the Apple operating system bugs, the agency said in its post Monday.
The three vulnerabilities impact iPhones going back to the iPhone 6S; Macs that run macOS Big Sur, Monterey and Ventura; and numerous models of iPad.
In a post on the updates Thursday, Apple credited the discovery of one of the vulnerabilities (CVE-2023-32409) to Google’s Threat Analysis Group and Amnesty International’s Security Lab. The other two vulnerabilities were credited to anonymous researchers.
Apple has released patches for a total of six zero-day vulnerabilities in 2023 so far. The company previously patched a zero-day flaw in February and a pair of zero-day vulnerabilities in April.