Apple has released security updates to iOS, iPadOS, macOS, and Safari to address zero-day vulnerabilities that the company says has been heavily exploited in the wild (ITW).
Vulnerability CVE-2023-23529 is associated with a Type Confusion error in the WebKit browser engine. It can be activated when processing malicious web content, allowing hackers to execute arbitrary code. The company said the vulnerability had been patched and that it was indeed actively exploited by hackers at the time of the closure.
The disadvantages of WebKit are also notable for the fact that they affect all third party web browsers available for iOS and iPadOS. This is due to Apple's limitations, which require developers of all browsers to use the same rendering environment.
Another vulnerability for which a patch has been released is tracked under the identifier CVE-2023-23514. It allows a malicious application to execute arbitrary code with the highest privileges. It was reported to Apple by security researchers from Google Project Zero. Apple said it fixed the vulnerability with improved memory management.
In addition, the latest macOS update also fixes a privacy flaw in shortcuts that malicious apps can use to "watch for insecure user data." The vulnerability, as noted by Apple, has been fixed with improved handling of temporary files.
Users are advised to immediately update to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1 and Safari 16.3.1 to mitigate any potential risks. Updates are already available for the following devices:
- iPhone 8 and later, iPad Pro (all models);
- iPad Air 3rd generation and later;
- iPad 5th generation and later;
- iPad mini 5th generation and later;
- Macs running macOS Ventura, macOS Big Sur, and macOS Monterey.
In 2022, Apple fixed a total of 10 zero-day vulnerabilities affecting its software. Most of them were actively used by attackers, and about half affected WebKit.