Apple patched zero-click kernel vulnerabilities in its OS underpinning its iPhones, iPads, watches and macOS computers. The bugs are tied to two WebKit vulnerabilities used in impacted devices.
One is a kernel vulnerability CVE-2023-32434 allows an app to execute arbitrary code with kernel privileges for devices running iOS 16.5.1 and iPadOS 16.5.1. Affected devices are iPhone 8 and later; all models of iPad Pro; iPad Air 3rd generation and later; iPad 5th generation and later; and iPad mini 5th generation and later.
The iOS 15.7.7 and iPadOS 15.7.7 is also susceptible to the same CVE-2023-32434 vulnerability and affects iPhone 6s (all models); iPhone 7 (all models); iPhone SE (1st generation); iPad Air 2; iPad mini (4th generation); and iPod touch (7th generation).
The WebKit vulnerabilities tracked as CVE-2023-32439, leads to arbitrary code execution if an affected device processes maliciously crafted web content. The security updates are for iPhone 8 and later; iPad Pro (all models); iPad Air 3rd generation and later; iPad 5th generation and later; and iPad mini 5th generation and later.
A second WebKit bug tracked as CVE-2023-32435 is similarly described as leading to arbitrary code execution by running web content. Security updates, according to Apple, were released for Phone 6s (all models); iPhone 7 (all models); iPhone SE (1st generation); iPad Air 2; iPad mini (4th generation); and iPod touch (7th generation).
Apple said is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
The updates released June 21 are among several emergency security updates Apple has released this year for its devices, including updates in April and May.