Apple fixes new WebKit zero-day exploited to hack iPhones, Macs

Apple fixes new WebKit zero-day exploited to hack iPhones, Macs

Apple has launched emergency safety updates to handle a brand new zero-day vulnerability utilized in assaults to hack iPhones, iPads, and Macs.

The zero-day patched right this moment is tracked as CVE-2023-23529 [1, 2] and is a WebKit confusion concern that might be exploited to set off OS crashes and achieve code execution on compromised units.

Profitable exploitation permits attackers to execute arbitrary code on units working susceptible iOS, iPadOS, and macOS variations after opening a malicious net web page (the bug additionally impacts Safari 16.3.1 on macOS Large Sur and Monterey).

“Processing maliciously crafted net content material could result in arbitrary code execution. Apple is conscious of a report that this concern could have been actively exploited,” Apple mentioned when describing the zero-day.

“We wish to acknowledge The Citizen Lab at The College of Toronto’s Munk Faculty for his or her help.”

Apple addressed CVE-2023-23529 with improved checks in iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.

The entire checklist of impacted units is kind of in depth, because the bug impacts older and newer fashions, and it consists of:

  • iPhone 8 and later
  • iPad Professional (all fashions), iPad Air third technology and later, iPad fifth technology and later, and iPad mini fifth technology and later
  • Macs working macOS Ventura

At the moment, Apple additionally patched a kernel use after free flaw (CVE-2023-23514) reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Undertaking Zero that might result in arbitrary code with kernel privileges on Macs and iPhones.

First zero-day patched by Apple this 12 months

Though the corporate disclosed that it is conscious of in-the-wild exploitation experiences, it has but to publish info concerning these assaults.

By proscribing entry to this info, Apple seemingly desires to permit as many customers as attainable to replace their units earlier than extra attackers choose up on the zero-day’s particulars to develop and deploy their very own customized exploits focusing on susceptible iPhones, iPads, and Macs.

Whereas this zero-day bug was seemingly solely utilized in focused assaults, putting in right this moment’s emergency updates as quickly as attainable is very beneficial to dam potential assault makes an attempt.

Final month, Apple additionally backported safety patches for a remotely exploitable zero-day flaw found by Clément Lecigne of Google’s Menace Evaluation Group to older iPhones and iPads.