Apple backports fix for exploited WebKit bug to older iPhones, iPads (CVE-2023-23529)
Apple has released security updates for – pardon the pop-culture reference – everyhing everywhere all at once, and has fixed the WebKit vulnerability (CVE-2023-23529) exploited in the wild for users of older iPhones and iPads.
This latest batch of security updates targets the iOS and iPad 16.x and 15.x branches; macOS Big Sur, Monterey and Ventura; watchOS and tvOS; Safari; and Studio Display, a standalone computer monitor / external display.
The CVE-2023-23529 fix for older iPhones
The presently most important fix among those delivered is the one for CVE-2023-23529, a type confusion issue in the WebKit browser engine, which can be triggered by maliciously crafted web content and ultimately allow code execution.
Reported by an anonymous researcher, the flaw “may have been actively exploited” (according to Apple) and has initially been fixed in iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 in February 2022.
Details about specific attacks exploiting this flaw have yet to be publicly shared, but users of iPhone 6s, 7, SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) devices are advised to implement the update as soon as possible.
Other vulnerabilities of note
Additional WebKit flaws have been fixed in Safari and macOS Ventura updates. Among the most attention-grabbing (though not critical) vulnerabilities fixed this Monday are:
- CVE-2023-27951, Gatekeeper bypass flaw that can be triggered with an archive file
- CVE-2023-23537, a privacy issue in the Find My component that could be exploited by an app to read sensitive location information
- CVE-2023-27965, a memory corruption issue that could allow an app to execute arbitrary code with kernel privileges
CVE-2023-27965 was fixed in macOS Ventura and Studio Display’s firmware update.
“Apparently, if you’re running macOS Ventura and you’ve hooked your Mac up to a Studio Display, just updating the Ventura operating system itself isn’t enough to secure you against potential system-level attacks,” noted Paul Ducklin, Sophos Head of Technology for the Asia Pacific region.
He also delineated a security-minded Studio Display update process for those users who won’t be able to implement the update immediately or for a while (i.e., before a PoC is publicly released or criminals figure out how to exploit the flaw).