Apple on Monday released security updates for iOS, iPados, MacOS and Safari to eliminate zero -day vulnerability, which, according to the company, were actively used in the wild (itW).
The vulnerability of the CVE-2023-23529 is associated with the error of the confusion (Type Confusion) in the WEBKIT browser engine. It can be activated in the processing of malicious web content, as a result of which attackers are available to the execution of arbitrary code. The company said that the vulnerability was eliminated and that it was really actively operated by hackers at the time of closing. An anonymous security researcher was reported in Cupertino.
Webkit disadvantages are also notable for the fact that they affect all third-party web browsers available for iOS and iPados. This is due to Apple restrictions, which require that the developers of all browsers use the same rendering environment.
Another vulnerability for which the patch was released is monitored by the identifier CVE-2023-23514. It allows a malicious application to execute an arbitrary code with the highest privileges. Apple was reported about her security researchers from Google Project Zero. Apple said she eliminated vulnerability with improved memory management.
In addition, the latest MacOS update also eliminates the confidentiality defect in shortcuts that malicious applications can use to “observe unprotected user data.” The vulnerability, as noted in Apple, was fixed with improved processing of temporary files.
Users are recommended to immediately update to iOS 16.3.1, iPados 16.3.1, MacOS Ventura 13.2.1 and Safari 16.3.1 to reduce all potential risks. Updates are already available for the following devices:
- iPhone 8 and later versions, iPad Pro (all models);
- 3rd generation iPad Air and later versions;
- iPad of the 5th generation and later versions;
- iPad mini of the 5th generation and later versions;
- Mac computers under the control of MacOS Ventura, MacOS Big Sur and MacOS Monterey.
In 2022, Apple corrected a total of 10 zero -day vulnerabilities, covering its software. Most of them were actively used by attackers, and about half touched Webkit.