Today, the US Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to patch three recently patched zero-day flaws affecting iPhones, Macs and iPads known to be exploited in attacks.

Security bugs are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all found in the WebKit browser engine.

They allow attackers to evade the browser sandbox, gain access to sensitive information on the compromised device, and perform arbitrary code execution after a successful exploit.

“Apple is aware of a report that this issue may have been actively exploited,” the company said. said when describing defects.

Three zero days have been resolved in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved limit checks, input validation, and memory management.

The full list of affected devices is quite extensive and includes the following:

• iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later
• iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Mac running macOS Big Sur, Monterey, and Ventura
• Apple Watch Series 4 and later
• Apple TV 4K (all models) and Apple TV HD

Likely exploited in state-sponsored spyware attacks

While Apple didn’t provide specific details on the attacks in which the bugs were abused, it did reveal that CVE-2023-32409 was reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Security Amnesty International Lab.

The two researchers and their respective organizations frequently disclose information about state-sponsored campaigns that exploit zero-day vulnerabilities to install surveillance spyware on the devices of politicians, journalists, dissidents and other individuals during highly targeted attacks.

For example, they leaked details in March about two recent campaigns use complex exploit chains of Android, iOS, and Chrome flaws to install mercenary spyware, one of which is a Samsung ASLR bypass flaw CISA aware around Friday.

June 12 patch deadline

In accordance with Binding Operational Directive (BOD 22-01) released November 2022, Federal Civilian Executive Branch (FCEB) agencies must patch their systems for all security bugs listed in the CISA Known exploited vulnerabilities catalog.

With today’s update, FCEB agencies are required to secure their iOS, iPadOS and macOS devices by June 12, 2023.

Although primarily intended for US federal agencies, private companies are strongly advised to also place a high priority on patching vulnerabilities contained in the KEV list of bugs exploited in attacks.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said Monday.

In April, federal agencies were also warned to secure iPhones and Macs on their networks against another pair of iOS and macOS security flaws reported by Google TAG and Amnesty International security researchers.