Apple has recently revealed that it has taken swift action to address three newly discovered zero-day vulnerabilities in its operating systems. These vulnerabilities, identified as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, posed significant security risks to Apple users, as they could potentially be exploited by malicious actors, particularly by sophisticated spyware (malware designed to enter your computer device, gather data about you, and forward it to a third party) vendors.

CVE-2023-41991: Signature Verification Bypass

This vulnerability allowed malicious applications to circumvent signature verification, opening the door for unauthorised access and potential compromise of the affected devices.

CVE-2023-41992: Kernel Privilege Elevation

The second vulnerability, CVE-2023-41992, was a kernel (the interface between user applications and hardware) flaw that could be exploited by a local attacker to gain elevated privileges within the operating system, increasing the potential for considerable damage or data theft.

CVE-2023-41993: Webkit Exploitation

The third zero-day, CVE-2023-41993, centered around a bug for the web browser engine Webkit. It enabled attackers to execute arbitrary code by enticing users to visit malicious web pages, putting their devices at risk.

Apple has since addressed these vulnerabilities in a series of updates, covering various products, including Safari, iOS, iPadOS (versions 17 and 16), macOS (Ventura and Monterey), and watchOS. It has emphasised that these vulnerabilities may have already been exploited, especially on versions of iOS predating 16.7.

Apple have also not disclosed any details regarding the specific attacks that exploited these vulnerabilities. However, the groups responsible for identifying and reporting these threats—the University of Toronto's Citizen Lab and Google's Threat Analysis Group—strongly suggest that these zero-days were exploited by commercial spyware vendors targeting iPhones.

This isn't the first time Apple and security researchers have joined forces to tackle vulnerabilities. In a prior collaboration, they investigated another zero-day vulnerability, CVE-2023-41064, which was exploited through a zero-click exploit (a security flaw in software that allows an attacker to remotely attack a device without any user interaction) named BlastPass. This exploit was the delivery mechanism for the notorious Pegasus spyware, developed by the NSO Group, targeting iPhones.

Research has also previously uncovered an attack in which the Pegasus spyware was delivered to an employee at an international civil society organisation based in Washington DC. CVE-2023-41064 specifically targeted the WebP image format, an issue that also impacted popular web browsers such as Chrome and Firefox. Consequently, Google and Mozilla responded by releasing emergency updates to address this critical vulnerability, identified as CVE-2023-4863.

Find more about malware and how to protect your organisation against future cyber threats here. For further help to manage and support your cyber security explore our subscription options click here .

You can also get in touch with our cyber experts with any questions by clicking on the contact button before.