by
Apple rolled out security updates for iOS, iPadOS, macOS, and Safari on Monday to fix a zero-day bug that it said was actively being exploited in the wild.
tracked as CVE-2023-23529the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.
The iPhone maker said the bug has been fixed with improved checks, adding that it is “aware of a report that this issue may have been actively exploited.” An anonymous researcher has been credited with reporting the bug.
It’s not immediately clear how the vulnerability will be exploited in real-world attacks, but it is the second actively abused type confusion vulnerability in WebKit to be patched by Apple, following CVE-2022-42856 in as many months, which was closed in December 2022.
WebKit bugs are also notable for affecting every third-party web browser available for iOS and iPadOS due to Apple’s limitations that require browser vendors to use the same rendering framework.
The company is also addressing a use-after-free issue in the kernel (CVE-2023-23514) that could allow a rogue app to run arbitrary code with the highest privileges.
Reporting the issue is credited to Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero. Apple said it fixed the vulnerability with improved memory management.
Separately, the latest macOS update also fixes a privacy flaw in shortcuts that a malware-infested app can exploit to “observe unprotected user data.” The problem, Apple says, was addressed through improved handling of temporary files.
Users are recommended to update to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1 and Safari 16.3.1 to mitigate potential risks. The updates are available for the following devices –
- iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura, macOS Big Sur, and macOS Monterey
Apple fixed a total of 10 zero-days in its software in 2022, nine of which were reported to be actively exploited by threat actors. Four of these bugs were discovered in WebKit.
