Patch Now: Apple’s iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw

Feb 14, 2023Ravie LakshmananDevice Security / Zero Day

Apple on Monday rolled out security updates for iOS,
iPadOS ^[1], macOS ^[2], and Safari ^[3] to address a zero-day
flaw that it said has been actively exploited in the wild.

Tracked as CVE-2023-23529, the issue relates to
a type confusion bug in the WebKit browser engine that could be
activated when processing maliciously crafted web content,
culminating in arbitrary code execution.

The iPhone maker said the bug was addressed with improved
checks, adding it’s “aware of a report that this issue may have
been actively exploited.” An anonymous researcher has been credited
with reporting the flaw.

It’s not immediately clear as to how the vulnerability is being
exploited in real-world attacks, but it’s the second actively
abused type confusion flaw in WebKit to be patched by Apple after
CVE-2022-42856 ^[4]
in as many months, which was closed in December 2022.

WebKit flaws are also notable for the fact that they impact
every third-party web browser that’s available for iOS and iPadOS
owing to Apple’s restrictions that require browser vendors to use
the same rendering framework.

Also addressed by the company is a use-after-free issue in the
Kernel (CVE-2023-23514) that could permit a rogue app to execute
arbitrary code with the highest privileges.

Credited with reporting the issue are Xinru Chi of Pangu Lab and
Ned Williamson of Google Project Zero. Apple said it resolved the
vulnerability with improved memory management.

Separately, the latest macOS update also plugs a privacy defect
in Shortcuts that a malware-laced app can take advantage of to
“observe unprotected user data.” The problem, Apple noted, was
fixed with improved handling of temporary files.

Users are advised to update to iOS 16.3.1, iPadOS 16.3.1, macOS
Ventura 13.2.1, and Safari 16.3.1 to mitigate potential risks. The
updates are available for the following devices –

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd
generation and later, iPad 5th generation and later, and iPad mini
5th generation and later
Macs running macOS Ventura, macOS Big Sur, and macOS
Monterey

Apple remediated a total of 10 zero-days spanning its software
in 2022, nine of which were disclosed as actively exploited by
threat actors. Four of those flaws were discovered in WebKit.

Found this article interesting? Follow us on Twitter ^[5]
and LinkedIn ^[6]
to read more exclusive content we post.

References

^{^}
iOS,
iPadOS (support.apple.com)
^{^}
macOS
(support.apple.com)
^{^}
Safari
(support.apple.com)
^{^}
CVE-2022-42856
(thehackernews.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)