Apple

Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads, and Macs.

The zero-day patched today is tracked as CVE-2023-23529 [12] and is a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.

Successful exploitation enables attackers to execute arbitrary code on devices running vulnerable iOS, iPadOS, and macOS versions after opening a malicious web page (the bug also impacts Safari 16.3.1 on macOS Big Sur and Monterey).

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," Apple said when describing the zero-day.

"We would like to acknowledge The Citizen Lab at The University of Toronto’s Munk School for their assistance."

Apple addressed CVE-2023-23529 with improved checks in iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.

The complete list of impacted devices is quite extensive, as the bug affects older and newer models, and it includes:

  • iPhone 8 and later
  • iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Ventura

Today, Apple also patched a kernel use after free flaw (CVE-2023-23514) reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero that could lead to arbitrary code with kernel privileges on Macs and iPhones.

First zero-day patched by Apple this year

Although the company disclosed that it's aware of in-the-wild exploitation reports, it has yet to publish information regarding these attacks.

By restricting access to this information, Apple likely wants to allow as many users as possible to update their devices before more attackers pick up on the zero-day's details to develop and deploy their own custom exploits targeting vulnerable iPhones, iPads, and Macs.

While this zero-day bug was likely only used in targeted attacks, installing today's emergency updates as soon as possible is highly recommended to block potential attack attempts.

Last month, Apple also backported security patches for a remotely exploitable zero-day flaw discovered by Clément Lecigne of Google's Threat Analysis Group to older iPhones and iPads.

Related Articles:

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Opera sees big jump in EU users on iOS, Android after DMA update

Oracle warns that macOS 14.4 update breaks Java on Apple CPUs

Fraudsters tried to scam Apple out of 5,000 iPhones worth over $3 million

Brave: Sharp increase in installs after iOS DMA update in EU