Today, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) took decisive action by issuing an order to federal agencies, mandating the resolution of three recently patched zero-day vulnerabilities. These vulnerabilities have been observed to impact iPhones, Macs, and iPads, making them susceptible to exploitation in malicious attacks. The specific vulnerabilities in question are identified as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all of which are associated with the WebKit browser engine.
While Apple has not provided comprehensive details regarding the specific attacks in which these bugs have been exploited, it has disclosed that CVE-2023-32409 was reported by Clément Lecigne from Google’s Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International’s Security Lab. These two notable researchers, along with their respective organizations, have been actively involved in sharing crucial information pertaining to state-sponsored campaigns that exploit zero-day vulnerabilities. The primary objective of these campaigns is to surreptitiously install surveillance spyware on the devices of targeted individuals, which includes politicians, journalists, dissidents, and other high-profile figures who find themselves at the center of highly-targeted attacks.