Unnamed attackers have exploited vulnerabilities in the WebKit engine for Apple's Safari browser, which is used to render web content in all of the technology giant's operating systems.
One vulnerability, reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab, could allow attackers to break out of the Web Content protective "sandbox" which restricts access to other parts of the operating system.
The vulnerability, given the common vulnerabilities and exposures index CVE-2023-32409, was patched in the latest round of Apple security updates released today.
Neither Amnesty International nor Google TAG have revealed who they suspect are behind the attacks, ditto Apple, or when and where they took place.
Apple said two other exploited vulnerabilities in WebKit were addressed with its new Rapid Security Response out-of-band patches.
Reported by anonymous researchers, the bugs allowed attackers to glean sensitive information and execute arbitrary code by exploiting an out-of-bounds read flaw, and a use-after-free condition.
Security researcher Amat Cama of Vigilant Labs found a bug in the cellular function on the iPhone 8 and X that could be used to remotely execute arbitrary code; while Google's Project Zero researcher Ivan Fratric discovered a flaw in the iPhone 8 and later, iPad Pro, Air and mini Telephony function that could crash apps and also be abused to run code remotely.
Apple's Safari web browser, watchOS, tvOS, iOS, iPadOS and macOS operating systems all received security updates.