Apple fixes WebKit 0-days under attack (CVE-2023-28204, CVE-2023-32373, CVE-2023-32409)

Apple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that “may have been actively exploited.”

The notes accompanying the updates also revealed that Apple’s first Rapid Security Response update, which was pushed out earlier this month, contained fixes for two WebKit 0-days (CVE-2023-28204 and CVE-2023-32373).

About the vulnerabilities

CVE-2023-28204 and CVE-2023-32373 can be triggered by WebKit – the browser engine that powers Safari and all web browsers on iOS and iPadOS – processing specially crafted web content. The former can lead to disclosure of sensitive information, the latter to arbitrary code execution. Both have been flagged by an anonymous researcher.

CVE-2023-32409 may allow a remote attacker to “break out of Web Content sandbox.” It has been reported by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.

The two researchers have been credited last month for reporting two actively exploited zero-day vulnerabilities in macOS, iOS and iPadOS, though details about those attacks are still not publicly available.

Details about the attacks in which these last WebKit zero-days are getting exploited are also undisclosed, since Apple is famously tight-lipped when it comes to sharing those.

Users of iDevices are advised to upgrade to:

• macOS 13.4, 12.6.6 or 11.7.7
• iOS/iPad OS 16.5 or 15.7.6
• Safari 16.5
• tvOS 16.5
• watchOS 9.5

Fixes for the three WebKit zero-days are not present in the older macOS versions, but the Safari update has them. If you are running those, update Safari.

The Rapid Security Response updates are also only available for the latest macOS, iOS and iPadOS versions, which is another reason why users of older versions should apply these latest updates as quickly as possible.