Today, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks.
The security bugs are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all found in the WebKit browser engine.
They allow attackers to escape the browser sandbox, access sensitive information on the compromised device, and achieve arbitrary code execution following successful exploitation.
“Apple is aware of a report that this issue may have been actively exploited,” the company said when describing the flaws.
The three zero-days were addressed in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.