Connect with us

Hi, what are you looking for?


Mobile & Wireless

Apple Patches 3 Exploited WebKit Zero-Day Vulnerabilities

Apple has patched 3 zero-days, two of which are the vulnerabilities patched with the tech giant’s first Rapid Security Response updates.

New iOS exploit blamed on US intelligence

Apple on Thursday released security updates for its operating systems to patch dozens of vulnerabilities that could expose iPhones and Macs to hacker attacks, including three zero-days affecting the WebKit browser engine.

Two of the actively exploited vulnerabilities, CVE-2023-28204 and CVE-2023-32373, have been reported to the tech giant by an anonymous researcher. Their exploitation can lead to sensitive information disclosure and arbitrary code execution if the attacker can trick the targeted user into processing specially crafted web content — this includes luring them to a malicious site. 

No information is available on the attacks exploiting these zero-day flaws.

Apple revealed in its advisories that these were the vulnerabilities that it patched with its first Rapid Security Response updates, specifically iOS 16.4.1(a), iPadOS 16.4.1(a), and macOS 13.3.1(a).

Now, iOS 16.5 and iPadOS 16.5 fix CVE-2023-28204 and CVE-2023-32373, as well as CVE-2023-32409, a WebKit zero-day that can be exploited to escape the Web Content sandbox.

CVE-2023-32409 was reported to Apple by Google’s Threat Analysis Group and Amnesty International, which indicates that it has likely been exploited by the products of a commercial spyware vendor. 

Google recently detailed several iOS and Android exploits that the company has linked to various spyware vendors.  

Advertisement. Scroll to continue reading.

The latest iOS and iPadOS updates patch over 30 other vulnerabilities, including ones that can lead to a security bypass, sandbox escape, arbitrary code execution, exposure of location and other user data, privilege escalation, termination of an app, recovery of deleted photos, retaining access to system configuration files, contact information exposure from the lock screen, and modifications of protected parts of the file system.

CVE-2023-28204 and CVE-2023-32373 have also been fixed with the release of iOS and iPadOS 15.7.6

The exploited WebKit vulnerabilities have also been resolved in Apple TV, Apple Watch and Safari. 

The latest macOS Ventura update fixes the three zero-days, along with nearly 50 other vulnerabilities that can lead to sensitive information disclosure, arbitrary code execution, DoS attacks, a security feature bypass, and privilege escalation. 

Apple has also updated macOS Monterey to version 12.6.6 and Big Sur to version 11.7.7 to patch more than two dozen vulnerabilities, but none of the zero-days. 

Related: Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices

Related: Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days

Related: Apple Patches Actively Exploited WebKit Zero-Day Vulnerability 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...