All Federal Civilian Executive Branch Agencies (FCEB) have until June 12 this year to patch a large number of Apple-made devices to protect their employees and systems from vulnerabilities that are reportedly being exploited in the wild.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a new warrant directing FCEB organizations to secure their endpoints against three known vulnerabilities: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in a statement.
WebKit woes
Apple recently published a security advisory detailing the discovery of three flaws in its WebKit browser engine. WebKit is Apple’s browser engine best known as the underlying technology in the Safari web browser, but is also used in all web browsers on iOS and iPadOS. As such, WebKit is an attractive target for threat actors looking for vulnerabilities that can be used to grant access to the intended endpoint.
One is a sandbox escape flaw, another is an out-of-bounds read flaw that allows attackers unrestricted access to sensitive information, and another is a post-use vulnerability that could allow arbitrary code execution. All three have been fixed with improved boundary checks, input validation, and memory management.
Here is the full list of affected endpoints:
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Big Sur, Monterey, and Ventura
- Apple Watch Series 4 and newer
- Apple TV 4K (all models) and Apple TV HD
To secure their devices, the FCEBs must update them to macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5.
While Apple didn’t say who exploited these flaws and for what purpose, Beeping computer says that since they were discovered by Google’s Threat Analysis Group and Amnesty International’s Security Lab, they were most likely used by state-sponsored threat actors.
Via: Bleeping Computer