If you’re an Apple user with various devices, you should pay close attention to the latest updates the company just released. More specifically, security updates for macOS, iOS, iPadOS, and Safari were rolled out to fix a zero-day that has been exploited in the wild.
What Is CVE-2023-23529?
CVE-2023-23529 is a type confusion vulnerability in WebKit, Apple’s browser engine used in Safari, as well as all web browsers on iOS and iPadOS. The flaw is caused by processing malicious web content, and could lead to arbitrary code execution on exposed devices. It was fixed with improved checks, according to Apple’s advisory.
The primary purpose of exploitation could be associated with spyware activities a.k.a. spying on users, but there is no official confirmation as to how the flaw was exploited.
CVE-2023-23529 has been patched in the following operating systems – iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, Safari 16.3.1, and probably in tvOS 16.3.2 and watchOS 9.3.1 (which will need to be confirmed additionally).
It is also noteworthy that the vulnerability was initially reported by an anonymous researcher but then The Citizen Lab at The University of Toronto’s Munk School was also mentioned as a contributor.
Other Vulnerabilities Fixed by Apple in February 2023
Apple fixed a user-after-free vulnerability in the Kernel component, identified as CVE-2023-23514. The issue could allow malicious applications to execute arbitrary code with the highest privileges. It has been fixed with improved memory management.
The latest macOS release also fixed a privacy issue in Shortcuts which could enable malicious apps to observe unprotected user data. Fortunately, this loophole is also fixed – with improved handling of temporary files.
To avoid any possible exploit scenarios, you should update to the latest versions – iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1. As for the affected devices, the list includes iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, and Macs running macOS Ventura, macOS Big Sur, and macOS Monterey.
In February 2021, another WebKit vulnerability, CVE-2021-1801, was exploited by a malvertising campaign to inject malicious payloads that redirected users to sites designed for gift card scams.