Researchers in Google’s Menace Evaluation Group have been as busy as ever, with discoveries which have led to the disclosure of three high-severity zero-day vulnerabilities underneath lively exploitation in Apple OSes and the Chrome browser within the span of 48 hours.

Apple on Thursday mentioned it was releasing safety updates fixing two vulnerabilities current in iOS, macOS, and iPadOS. Each of them reside in WebKit, the engine that drives Safari and a variety of different apps, together with Apple Mail, the App Retailer, and all browsers working on iPhones and iPads. Whereas the replace applies to all supported variations of Apple OSes, Thursday’s disclosure instructed in-the-wild assaults exploiting the vulnerabilities focused earlier variations of iOS.

“Apple is conscious of a report that this concern could have been exploited towards variations of iOS earlier than iOS 16.7.1,” Apple officers wrote of each vulnerabilities, that are tracked as CVE-2023-42916 and CVE-2023-42917.

CVE-2023-42916 is an out-of-bounds learn that enables hackers to acquire delicate data when WebKit-powered apps course of specifically crafted on-line content material. CVE-2023-42917 is a reminiscence corruption flaw that causes weak units to execute malicious code when processing hacker-created content material for a WebKit app. Apple credited TAG’s Clément Lecigne with discovery of each vulnerabilities. Neither Apple nor Google supplied particulars concerning the zero-day assaults.

On Tuesday, Google mentioned it was releasing an replace that fastened seven Chrome vulnerabilities, one among which was a zeroday, which means Google realized of it after exploits had been already out there within the wild. Google supplied no further particulars associated to the zero-day.

The bug, tracked as CVE-2023-6345, stems from an integer overflow, a standard class of vulnerability that enables hackers to execute malicious code when targets course of specifically crafted content material. The vulnerability resides within the Skia element of the browser. Google credited TAG’s Benoît Sevens and Clément Lecigne for reporting the vulnerability.

Each the Apple and Google updates are being robotically pushed to affected units. The updates are put in when customers reboot their system or restart their browser. Customers are more likely to obtain notifications if sufficient time passes with no restart. iOS, macOS, and iPadOS customers can manually set up updates by accessing system settings and choosing the Basic tab. To manually set up the Chrome replace, select the three vertical dots on the highest proper of the window and select replace.