Apple has released security updates to address zero-day vulnerabilities exploited in attacks targeting iPhones, Macs, and iPads.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in an advisory describing a WebKit flaw tracked as CVE-2023-37450 that was addressed in a new round of Rapid Security Response (RSR) updates earlier this month.
The other zero-day patched today is a new Kernel flaw tracked as CVE-2023-38606 that was exploited in attacks targeting devices running older iOS releases.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” the company said.
Attackers could exploit it on unpatched devices to modify sensitive kernel states. Apple addressed the two weaknesses with improved checks and state management.
The company also backported security patches for a zero-day (CVE-2023-32409) addressed in May to devices running tvOS 16.6 and watchOS 9.6
Apple addressed the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.
The list of devices impacted by the two zero-days fixed today is quite extensive, and it includes a wide range of iPhone and iPad models, as well as Macs running macOS Big Sur, Monterey, and Ventura.
Eleventh zero-day exploited in attacks patched this year
Since the start of the year, Apple has patched 11 zero-day flaws exploited by attackers to target devices running iOS, macOS, and iPadOS.
Earlier this month, Apple released out-of-band Rapid Security Response (RSR) updates to address a bug (CVE-2023-37450) impacting fully-patched iPhones, Macs, and iPads.
Before this, Apple also addressed: