On Thursday, Apple released a slew of updates that added several new features to the iPhone and Mac. But more importantly, the updates include three critical zero-day fixes for security vulnerabilities known to have been exploited.
WebKit flaws span the Apple device family and have been fixed in iOS 16.5, iPadOS 16.5, watchOS 9.5, macOS 13.4, and tcOS 16.5, as well as iOS/iPadOS 15.7.6, macOS Monterey 12.6.6, and macOS Big Sur 11.7. 7 as well as Safari 16.5. All updates include the same five WebKit fixes, three of which are known to have been broken:
webkit
- Influence: Processing web content may reveal sensitive information
- Description: Reading out of range was addressed with improved input validation.
- Bugzilla webkit: 255075
CVE-2023-32402: anonymous researcher
webkit
- Impact. The processing of web content may result in the disclosure of confidential information.
- Description. A buffer overflow issue was addressed with improved memory handling.
- Bugzilla webkit: 254781
CVE-2023-32423: Ignacio Sanmillan (@ulexec)
webkit
- Influence: A remote attacker can exit the web content sandbox. Apple is aware of a report of possible active exploitation of this issue.
- Description: This issue was addressed with improved bounds checking.
- Bugzilla webkit: 255350
CVE-2023-32409: Clement Lesin of the Google Threat Intelligence Team and Donncha O Serbhail of the Amnesty International Security Lab
webkit
- Influence: The processing of web content may result in the disclosure of confidential information. Apple is aware of a report that this issue may have been actively exploited.
- Description: Reading out of range was addressed with improved input validation.
- Bugzilla webkit: 254930
CVE-2023-28204: anonymous researcher
webkit
- Influence: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A use after free issue was addressed with improved memory management.
- Bugzilla webkit: 254840
CVE-2023-32373: anonymous researcher
Two of the three zero-day vulnerabilities, CVE-2023-28204 and CVE-2023-32373, were previously patched as part of the first Apple Rapid Security Response updates for iOS and iPadOS (16.4.1(a)) and macOS Ventura (13.3.1( A)).
To update your iPhone or iPad, go to the Settings app, then General And Software update. On a Mac, go to System Preferences, then General, and Software update; on pre-Ventura Macs, find the System Preferences app, then Software update.