Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day vulnerability it said was being actively exploited in the wild.
tracked as CVE-2023-23529This issue is related to a type confusion bug in the WebKit browser engine that can be activated when processing maliciously crafted web content, resulting in arbitrary code execution.
The iPhone maker said it addressed the bug with improved checks, adding that it was “aware of reports that this issue may have been actively exploited.” An anonymous researcher allegedly reported this flaw.
It’s not immediately clear how this vulnerability is being exploited in real-world attacks, but Apple has patched WebKit’s type confusion following CVE-2022-42856, which was closed in December. It is the second actively exploited vulnerability in . 2022.
The WebKit flaw is also notable for the fact that it affects all third-party web browsers available for iOS and iPadOS due to Apple’s restriction requiring browser vendors to use the same rendering framework. .
The company also addressed a kernel use-after-free issue (CVE-2023-23514) that could allow malicious apps to execute arbitrary code with elevated privileges.
Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero reported this issue. Apple said it resolved the vulnerability through improved memory management.
Separately, the latest macOS update also plugs in a shortcut privacy flaw that malware-laced apps can use to “monitor unprotected user data.” According to Apple, this issue has been fixed through improved handling of temporary files.
We recommend updating to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 to reduce potential risks. The update is available for the following devices –
- iPhone 8 or later, iPad Pro (all models), iPad Air 3rd generation or later, iPad 5th generation or later, iPad mini 5th generation or later
- Macs running macOS Ventura, macOS Big Sur, and macOS Monterey
Apple has fixed a total of 10 zero-days across its software in 2022. Nine of them were found to have been actively exploited by the attackers. Four of these flaws were found in his WebKit.
