Apple has issued critical security updates across its device and software ecosystem to address three zero-day vulnerabilities that posed severe device risks of takeover and malicious code execution. These vulnerabilities affected iOS, iPadOS, macOS, watchOS, and Safari. They were initially discovered by security researchers from Citizen Lab and Google's Threat Analysis Group, who noted potential active exploitation by hackers targeting iOS versions before iOS 16.7.

According to Apple's security advisories, the three flaws are:

1. CVE-2023-41991: A certificate validation issue within the Security framework that could enable a malicious app to bypass signature validation, potentially leading to the installation of unauthorized software on the device.
2. CVE-2023-41992: A security weakness in the Kernel that could empower a local attacker to escalate their privileges and attain root access to the device.
3. CVE-2023-41993: A vulnerability within WebKit that could result in arbitrary code execution when processing specially crafted web content. This issue potentially impacts Safari and other applications utilizing the WebKit engine.

To safeguard their devices, Apple has strongly urged users to promptly update their operating systems and software to the latest versions, which incorporate patches addressing these vulnerabilities. The specific updates include:

1. iOS 16.7 and iPadOS 16.7: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
2. iOS 17.0.1 and iPadOS 17.0.1: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later
3. macOS Monterey 12.7 and macOS Ventura 13.6
4. watchOS 9.6.3 and watchOS 10.0.1: Apple Watch Series 4 and later
5. Safari 16.6.1

According to the Citizen Lab, the flaws are related to the Pegasus spyware that was used to target civil society activists and journalists worldwide. The spyware, developed by the Israeli company NSO Group, can infect devices without any user interaction through zero-click attacks.

Apple has patched 16 zero-day bugs in its software this year, showing the increasing sophistication and frequency of cyberattacks against its products.