Apple patched three new zero-day vulnerabilities exploited in attacks to hack iPhones, Macs and iPads.

“Apple is aware of a report that this issue may have been actively exploited,” the company disclosed in security notice describing the faults.

The security bugs have all been found in the cross-platform WebKit browser engine and are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

The first vulnerability is a sandbox leak that allows remote attackers to break out of web content sandboxes.

The other two are an out-of-bounds read that can help attackers gain access to sensitive information, and a use-after-free issue that allows arbitrary code to be executed on compromised devices, both after tricking targets into loading maliciously crafted web pages (web content).

Apple addressed three zero days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved limit checks, input validation, and memory management.

The list of affected devices is quite extensive, as the bug affects both older and newer models, and includes:

• iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
• iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Mac running macOS Big Sur, Monterey, and Ventura
• Apple Watch Series 4 and later
• Apple TV 4K (all models) and Apple TV HD

The company also revealed that CVE-2023-28204 and CVE-2023-32373 (reported by anonymous researchers) were first resolved with the Security Rapid Response Patches (RSR) for iOS 16.4.1 and macOS 13.3.1 devices released on May 1.

An Apple spokesperson did not respond to a request for further details when contacted by BleepingComputer at the time regarding the defects fixed with the May RSR updates.

Six zero-days corrected since the beginning of 2023

While Apple says it’s aware that today’s three zero-day patches are in the works, it hasn’t shared any information regarding these attacks.

However, today’s advisories reveal that CVE-2023-32409 was reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.

The organizations the two researchers are part of routinely leak details of state-backed campaigns exploiting zero-day bugs to deploy mercenary spyware on the smartphones and computers of politicians, journalists, dissidents, and more.

In April, Apple fixed two more days zero (CVE-2023-28206 and CVE-2023-28205) part of the exploit chains in the wild of Android, iOS and Chrome zero-day and n-day vulnerabilities, exploited to deploy commercial spyware on devices with high risk targets around the world.

In February, Apple has tackled another WebKit Zero Day (CVE-2023-23529) exploited in attacks to achieve code execution on vulnerable iPhones, iPads, and Macs.