- On February 13, Apple fixed multiple vulnerabilities, one of which is a zero-day flaw that is being exploited in the wild.
- The vulnerability affects most of the iPhone and iPad product families along with Safari 16.3.1 and other products.
- Apple didn’t share any information about the technical details of the exploit but urged all users to update their devices immediately.
Apple has released a security update to address multiple vulnerabilities, one of which is a zero-day vulnerability. Apple admitted that the vulnerability, tracked as CVE-2023-23529, is being exploited in the wild. The WebKit type-confusion flaw can cause OS crashes and allows arbitrary code execution. The vulnerability was reported by an anonymous researcher and can be exploited with maliciously crafted web content.
Under attack
According to the advisory published by Apple, the patches are available for Safari 16.3.1, macOS 13.2.1, iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Since it is a WebKit flaw, third-party web browsers available for iOS and iPadOS are also impacted by the vulnerability.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Although Apple didn’t disclose the details of exploitation, this is Apple’s first zero-day patch for 2023 and users are warned to apply the update to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 as soon as possible to stay safe.
Along with WebKit vulnerability, Apple has also patched:
iOS16.3.1 and iPadOS 16.3.1 Kernel:
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: A use-after-free issue was addressed with improved memory management.
- CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero
macOS Ventura 13.2.1 Kernel:
- Available for: macOS Ventura
- Impact: An app may be able to execute arbitrary code with kernel privileges
- Description: A use-after-free issue was addressed with improved memory management.
- CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero
macOS Ventura 13.2.1 Shortcuts:
- Available for: macOS Ventura
- Impact: An app may be able to observe unprotected user data
- Description: A privacy issue was addressed with improved handling of temporary files.
- CVE-2023-23522: Wenchao Li and Xiaolong Bai of Alibaba Group