Apple has released emergency patches to fix a new 0-day vulnerability in WebKit (CVE-2023-23529), which is already being exploited by hackers in attacks on iPhone, iPad and Mac devices.
This year’s first 0-day in Apple products is a type confusion problem in the WebKit engine. The vulnerability is known to be exploitable to cause crashes and arbitrary code execution on compromised devices.Let me remind you that we also wrote that Apple Fixes at Once Two 0-Day Vulnerabilities That Threatened iOS, MacOS and Safari, and also that Apple leaves critical bugs unpatched in macOS Big Sur and Catalina.
That is, an attacker will be able to execute arbitrary code on devices with vulnerable versions of iOS, iPadOS and macOS if the victim visits a malicious web page (the bug affects Safari 16.3.1 on macOS Big Sur and Monterey).
Although the company says it is aware of hackers exploiting the bug, it does not disclose any details of these attacks. Apple probably wants to give users as much time as possible to install updates, while other attackers do not yet know the details of this 0-day and create their own exploits targeting iPhone, iPad and Mac.
CVE-2023-23529 was fixed in iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.
The full list of affected devices is quite large, as the bug affects both old and new device models, including:
- iPhone 8 and newer;
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later;
- Mac computers running macOS Ventura.
It’s also worth noting that Apple released another patch this week and fixed a use after free issue in the kernel (CVE-2023-23514) reported by Google Project Zero experts. This vulnerability could also lead to arbitrary code execution on Macs and iPhones, but also with kernel-level privileges.
You may also be interested in the media reporting that Bugs in Apple Pay, Samsung Pay, and Google Pay allow unauthorized purchases.