Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads, and Macs.
The zero-day patched today is tracked as CVE-2023-23529 [1, 2] and is a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.
Successful exploitation enables attackers to execute arbitrary code on devices running vulnerable iOS, iPadOS, and macOS versions after opening a malicious web page (the bug also impacts Safari 16.3.1 on macOS Big Sur and Monterey).
"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," Apple said when describing the zero-day.
"We would like to acknowledge The Citizen Lab at The University of Toronto’s Munk School for their assistance."
Apple addressed CVE-2023-23529 with improved checks in iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.
The complete list of impacted devices is quite extensive, as the bug affects older and newer models, and it includes:
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
Today, Apple also patched a kernel use after free flaw (CVE-2023-23514) reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero that could lead to arbitrary code with kernel privileges on Macs and iPhones.
First zero-day patched by Apple this year
Although the company disclosed that it's aware of in-the-wild exploitation reports, it has yet to publish information regarding these attacks.
By restricting access to this information, Apple likely wants to allow as many users as possible to update their devices before more attackers pick up on the zero-day's details to develop and deploy their own custom exploits targeting vulnerable iPhones, iPads, and Macs.
While this zero-day bug was likely only used in targeted attacks, installing today's emergency updates as soon as possible is highly recommended to block potential attack attempts.
Last month, Apple also backported security patches for a remotely exploitable zero-day flaw discovered by Clément Lecigne of Google's Threat Analysis Group to older iPhones and iPads.