Active Exploitation of Zero-day Vulnerabilities in Apple Products

Published on 22 Jun 2023 | Updated on 28 Jun 2023

Apple has released security updates to address multiple zero-day vulnerabilities (CVE-2023-32434, CVE-2023-32435 and CVE-2023-32439) in their products. The vulnerabilities are reportedly being actively exploited.

The vulnerabilities are:

• CVE-2023-32434: An integer overflow vulnerability that could allow an attacker to perform arbitrary code execution with kernel privileges with an application.

• CVE-2023-32435: A memory corruption vulnerability that could allow an attacker to perform arbitrary code execution by processing web content.

• CVE-2023-32439: A type confusion vulnerability that could allow an attacker to perform arbitrary code execution by processing maliciously crafted web content.

The vulnerabilities affect the following products:

• iPhone 6s (all models)

• iPhone 7 (all models)

• iPhone SE (1st generation)

• iPhone 8 and later

• iPad 5th generation and later

• iPad Air 3rd generation and later

• iPad Air 2

• iPad mini 4th generation and later

• iPad Pro (all models)

• iPod Touch (7th generation)

• Macs running macOS Big Sur, Monterey, and Ventura

• Apple Watch Series 3 to 7

• Apple Watch SE

Users of affected product versions are advised to update to the latest versions immediately.

Users are also advised to enable automatic software updates by going to Settings > General > Software Updates > Enable Automatic Updates.

More information is available here:

https://support.apple.com/en-us/HT213811

https://support.apple.com/en-us/HT213814

https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-days-used-to-deploy-triangulation-spyware-via-imessage/