Apple has released security updates to address zero-day vulnerabilities exploited in attacks targeting iPhones, Macs and iPads.

“Apple is aware of a report that this issue may have been actively exploited,” the company said. said in an advisory describing a WebKit flaw identified as CVE-2023-37450 which was addressed in a new round of Rapid Security Response (RSR) updates earlier this month.

The other zero-day flaw patched today is a new kernel flaw identified as CVE-2023-38606 that has been exploited in attacks targeting devices running older iOS versions.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released prior to iOS 15.7.1,” the company said. said.

Attackers could exploit it on unpatched devices to alter sensitive kernel states. Apple fixed both weaknesses by improving controls and state management.

The company also backported zero-day security fixes (CVE-2023-32409) sent in May to devices running tvOS 16.6 and watchOS 9.6

Apple addressed three zero days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved limit checks, input validation, and memory management.

The list of devices affected by the two day zero fixes today is quite long and includes a wide range of iPhone and iPad models, as well as Macs running macOS Big Sur, Monterey, and Ventura.

Eleventh zero-day exploited in patched attacks this year

Since the start of the year, Apple has patched 11 zero-day flaws exploited by attackers to target devices running iOS, macOS and iPadOS.

Earlier this month, Apple out-of-band Rapid Security Response (RSR) updates released to address a bug (CVE-2023-37450) affecting iPhones, Macs, and iPads fully patched.

The company then confirmed the RSR updates broke web browsing on some websites and released fixed versions of bug fixes two days later.

Prior to this, Apple also addressed: