WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities
apple-patch Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. apple-patch
The three security shortcomings are listed below – apple-patch
- CVE-2023-32409 – A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks.
- CVE-2023-28204Â – An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation.
- CVE-2023-32373Â – A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management.
The iPhone maker credited ClĂ©ment Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ă“ Cearbhaill of Amnesty International’s Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting the other two issues. apple-patch
It’s worth noting that both CVE-2023-28204 and CVE-2023-32373 were patched as part of Rapid Security Response updates – iOS 16.4.1 (a) and iPadOS 16.4.1 (a) – the company released at the start of the month.apple-patch
There are currently no additional technical specifics about the flaws, the nature of the attacks, or the identity of the threat actors that may be exploiting them. apple-patch
That said, such weaknesses have been historically leveraged as part of highly-targeted intrusions to deploy mercenary spyware on the devices of dissidents, journalists, and human rights activists, among others.apple-patch
The latest updates are available for the following devices and operating systems -apple-patch
- iOS 16.5 and iPadOS 16.5Â – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- iOS 15.7.6 and iPadOS 15.7.6Â – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- macOS Ventura 13.4Â – macOS Ventura
- tvOS 16.5Â – Apple TV 4K (all models) and Apple TV HD
- watchOS 9.5Â – Apple Watch Series 4 and later
- Safari 16.5Â – macOS Big Sur and macOS Monterey
Apple has so far remediated a total of six actively exploited zero-days since the start of 2023. Earlier this February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution. apple-patch
Then last month, it shipped fixes for a pair of vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Lecigne and Ă“ Cearbhaill were credited with reporting the security defects. apple-patch
Apple Removes macOS Feature That Allowed Apps to Bypass Firewall Security