Apple released security updates for its iOS, iPadOS, macOS, and Safari to address a new zero-day vulnerability in the WebKit browser engine. Tracked as CVE-2023-23529, the vulnerability is a type confusion bug that could be triggered when processing maliciously crafted web content, leading to arbitrary code execution. Apple said that it is “aware of a report that this issue may have been actively exploited.” The flaw was discovered by an anonymous researcher, who was credited with reporting it.

Patch now: Apple’s iOS, iPadOS, macOS, and Safari under attack!

While it is not clear how the vulnerability is being exploited in real-world attacks, it is the second actively exploited type confusion flaw in WebKit to be patched by Apple in as many months. In December 2022, Apple released a patch for CVE-2022-42856, another type confusion flaw in WebKit that was being actively exploited. WebKit flaws are significant because they impact every third-party web browser that is available for iOS and iPadOS, owing to Apple’s restrictions that require browser vendors to use the same rendering framework.

Apple has also addressed a use-after-free issue in the Kernel (CVE-2023-23514), which could allow a rogue app to execute arbitrary code with the highest privileges. The flaw was discovered by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero, who were credited with reporting it. Apple has resolved the vulnerability with improved memory management.

Additionally, the latest macOS update plugs a privacy defect in Shortcuts that a malware-laced app could use to “observe unprotected user data.” The flaw was fixed with improved handling of temporary files.

Apple recommends that users update their devices to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 to mitigate potential risks. The updates are available for the following devices:

• iPhone 8 and later
• iPad Pro (all models)
• iPad Air 3rd generation and later
• iPad 5th generation and later
• iPad mini 5th generation and later
• Macs running macOS Ventura, macOS Big Sur, and macOS Monterey

Apple remediated a total of 10 zero-day vulnerabilities across its software in 2022, nine of which were disclosed as actively exploited by threat actors. Four of those flaws were discovered in WebKit.

The timely release of security updates for zero-day vulnerabilities is critical for preventing attacks from causing widespread damage. Users are advised to keep their software up to date and to exercise caution when opening links or downloading attachments from untrusted sources. As cyber threats continue to evolve and become more sophisticated, it is essential that users take cybersecurity seriously and stay vigilant to protect their personal information and devices.