Apple has rolled out iOS 16.6.1, iPadOS 16.6.1, watchOS 9.6.2 and macOS Ventura 13.5.2 to address the security flaws.
The actively exploited flaw in Ivanti Endpoint Manager Mobile can be used in conjunction with another zero day addressed last week.
The Microsoft zero-day flaw (CVE-2023-36884) is being leveraged by a Russian-based cybercriminal group in phishing emails sent to defense and government entities in Europe and North America.
The update for the flaw (CVE-2023-37450) is available for iOS 16.5.1, macOS Ventura 13.4.1 and iPadOS 16.5.1.
Researchers point to an “aggressive and skilled actor” with suspected links to China as the group behind the attacks on a recently disclosed Barracuda ESG zero day.