Apple issues urgent fix to block zero-day attacks — update your iPhone and Mac now

iPhone 14 in hand
(Image credit: Future)

Apple has once again released security updates to address zero-day vulnerabilities that are being used in attacks against iPhone, iPads and Macs.

In a security advisory posted on its site, the Cupertino-based company explained that it is aware of a report that these issues may have been actively exploited by hackers. For this reason, it’s important that you install the latest security updates for your Apple devices as soon as possible.

All three of these new zero-days were discovered in the open source WebKit browser engine that powers Apple’s Safari as well as Google Chrome on iOS, iPadOS and macOS. According to BleepingComputer, the first vulnerability (tracked as CVE-2023-32409) is a sandbox escape that can be leveraged by an attacker to break out of Web Content sandboxes.

The next zero-day (tracked as CVE-2023-28204) is an out-of-bounds read flaw that can be used by an attacker to gain access to sensitive information stored on Apple devices. Meanwhile, the third zero-day is a use-after-free issue that allows arbitrary code to be run on compromised devices.

As Apple often does, the company hasn’t released details on any attacks exploiting these zero-day vulnerabilities yet in order to give its customers more time to update their devices.

Which Apple devices are affected?

As these three zero-day flaws affect both older and newer Apple smartphones, tablets, computers, smartwatches and streaming gear, the list of impacted devices is quite extensive. Here are all of the ones that are affected

  • iPhone 6s
  • iPhone 7
  • iPhone SE (1st gen)
  • iPhone 8 and later
  • iPad Air 2
  • iPad Mini (4th gen)
  • iPod touch (7th gen)
  • Macs running macOS Big Sur, Monterey and Ventura
  • Apple Watch Series 4 and later
  • Apple TV 4K (all models)
  • Apple TV HD

Fortunately though, Apple has patched these flaws with the release of macOS Ventura 13.4, iOS 16.5, iPadOS 16.5, tvOS 16.5, watchOS 9.4 and Safari 16.5. However, the last two zero-day flaws were first fixed through the company's Rapid Security Response (RSR) patches for iOS 16.5.1 and macOS 13.3.1 released at the beginning of this month.

How to stay safe from attacks leveraging zero-day flaws

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

Unlike with malicious apps or malware, there isn’t actually much you can do as an end user to protect yourself from attacks that exploit zero-day vulnerabilities. While the best Mac antivirus software can help keep you protected from most cyberattacks, the same can’t be said for those that leverage zero-days.

The reason for this is that by definition, a zero-day vulnerability is one that was discovered by attackers before a company became aware of it. Patches haven’t yet been made to fix them and unfortunately, you’ll need to wait on Apple or other tech companies to address them.

Still, once patches do become available, it’s up to you to install them as soon as possible. Waiting to do so puts you at risk as hackers often target users that have yet to install the latest security updates.

We might possibly hear more about the attacks that have been spotted in the wild leveraging these flaws but usually, Apple likes to play things close to the chest when it comes to zero-days.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.