CVE-2023-38606 & CVE-2023-37450: Apple Addresses Actively Exploited 0-Day Flaws

Two critical zero-day vulnerabilities have recently made headlines, threatening the digital security of Apple devices around the globe. These flaws, identified as CVE-2023-37450 and CVE-2023-38606, were discovered lurking in Apple’s multi-platform WebKit browser engine and kernel component. Both issues have been actively exploited, making immediate attention to these security breaches paramount.

CVE-2023-38606

The WebKit Zero-Day Bug: CVE-2023-37450

CVE-2023-37450 is a WebKit security flaw, and its exploitation could allow malevolent actors to execute arbitrary code on vulnerable devices, thereby seizing control. The attack unfolds when a user unwittingly opens a malicious web page on a compromised device. The affected devices include iPhone 8 and later, all iPad Pro models, iPad Air (3rd generation and later), iPad 5th generation and later, and iPad mini 5th generation and later. The macOS Ventura is also part of the fray. This flaw was reported by an anonymous researcher.

In response, Apple has fortified its defense system against this flaw with improved checks in iOS 16.6, iPadOS 16.6, and macOS Ventura 13.5. Despite this, the company remains vigilant, acknowledging in security advisories that reports suggest this issue might have been actively exploited. “Apple is aware of a report that this issue may have been actively exploited,” the company revealed in security advisories describing the flaw.

The Kernel Zero-Day Bug: CVE-2023-38606

The second vulnerability, CVE-2023-38606, was reported by cybersecurity experts Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) from Kaspersky. This kernel flaw, if exploited, could enable attackers to “modify sensitive kernel state” on iPhones and Macs, potentially giving them control over these devices. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” the company revealed in security advisories describing the flaw.

The threat encompasses a wide range of Apple devices, including macOS Big Sur, Monterey, and Ventura, as well as iPhone models from the iPhone 6s and onward. All iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, and the iPod touch 7th generation are also vulnerable.

Reacting swiftly, Apple has addressed this flaw with improved state management. However, the tech giant has warned that versions of iOS released before iOS 15.7.1 may have fallen prey to this issue.

Users are encouraged to update their devices to the latest versions of iOS, iPadOS, and macOS as soon as possible to protect themselves from these attacks.