On Thursday, Apple released a series of updates bringing a few new features to iPhone and Mac. But more importantly, the updates include three critical zero-day patches for security vulnerabilities known to be actively exploited. The most alarming bug allows a hacker to access personal data and take control of your device through a malicious app.
WebKit flaws span Apple’s device family and have been patched in iOS 16.5, iPadOS 16.5, watchOS 9.5, macOS 13.4 and tvOS 16.5, as well as iOS/iPadOS 15.7.6, macOS Monterey 12.6.6 and macOS Big On 11.7. 7, as well as Safari 16.5. All updates include the same five WebKit fixes, three of which are known to have been exploited:
Webkit
- Impact: Processing web content may disclose sensitive information
- Description: An out-of-bounds read has been resolved with better input validation.
- With WebKit Bugz: 255075
CVE-2023-32402: an anonymous researcher
Webkit
- Impact: Processing web content may disclose sensitive information
- Description: A buffer overflow issue was addressed through improved memory management.
- With WebKit Bugz: 254781
CVE-2023-32423: Ignacio Sanmillan (@ulexec)
Webkit
- Impact: A remote attacker may be able to break out of the web content sandbox. Apple is aware of a report that this issue may have been actively exploited.
- Description: The issue was addressed with improved limit checks.
- With WebKit Bugz: 255350
CVE-2023-32409: Clément Lecigne from Google’s Threat Analysis Group and Donncha Ó Cearbhaill from Amnesty International’s Security Lab
Webkit
- Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
- Description: An out-of-bounds read has been resolved with better input validation.
- With WebKit Bugz: 254930
CVE-2023-28204: an anonymous researcher
Webkit
- Impact: Processing maliciously crafted web content may lead to the execution of arbitrary code. Apple is aware of a report that this issue may have been actively exploited.
- Description: A use-after-free issue was addressed with better memory management.
- With WebKit Bugz: 254840
CVE-2023-32373: an anonymous researcher
Two of the three Zero Day flaws, CVE-2023-28204 and CVE-2023-32373, were previously patched as part of Apple’s first Rapid Security Response updates for iOS and iPadOS (16.4.1(a)) and macOS Ventura (13.3.1(a)).
To update your iPhone or iPad, go to the Settings app, then General And Software update. On a Mac, go to System Settings, then General and Software update; on pre-Ventura Macs, find the System Preferences app, then Software update.