Apple has issued emergency security updates to fix a new zero-day flaw that can be used to hack into iPhones, iPads, and Macs.
Today’s zero-day patch, CVE-2023-23529 [1, 2], addresses a WebKit confusion issue that could be used to execute code on compromised devices and cause OS crashes.
After opening a malicious web page, attackers can successfully exploit the vulnerability to execute arbitrary code on devices running vulnerable versions of iOS, iPadOS, and macOS (the bug also affects Safari 16.3.1 on macOS Big Sur and Monterey).
“The execution of arbitrary code could occur when maliciously crafted web content is processed. When describing the zero-day, Apple stated, “Apple is aware of a report that this issue may have been actively exploited.”
“We would like to thank The Citizen Lab at The Munk School at The University of Toronto for their assistance.”
Improved security checks were added to iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1 by Apple to address CVE-2023-23529.
Since the bug affects both older and newer models, the complete list of affected devices includes:
Apple also patched a kernel use after free flaw (CVE-2023-23514) reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero that could allow arbitrary code with kernel privileges on Macs and iPhones. This flaw affects the iPhone 8 and later, iPad Pro (all models), iPad Air (3rd generation and later), iPad 5th generation and later, and iPad mini (5th generation and later).
Apple’s first zero-day patch this year Despite the fact that the company acknowledged being aware of reports of in-the-wild exploitation, the company has yet to release information regarding these attacks.
Apple probably wants to make it as easy as possible for as many people as possible to update their devices by limiting access to this information. This will prevent additional attackers from using the zero-day’s details to create and deploy their own customized exploits that target vulnerable iPhones, iPads, and Macs.
Even though this zero-day bug was probably only used in specific attacks, it is highly recommended to install today’s emergency updates as soon as possible to stop attacks.