Apple has warned that three vulnerabilities in its Webkit browser engine tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 are under active exploitation. Since Apple uses Webkit in Safari and demands that it be used in other browsers on iOS, this puts every iPhone with a web browser installed at risk.
All three of these vulnerabilities are present in iPhone 8 and later, all models of the iPad Pro, iPad Air (third generation) to the latest model, iPads from the fifth generation to the latest model and iPad Minis from the fifth generation to the latest one. Here’s a quick breakdown of all three vulnerabilities:
- CVE-2023-32409: Allows a remote attacker to break out of the Web Content sandbox.
- CVE-2023-28204: Processing web content may disclose sensitive information.
- CVE-2023-32373: Processing maliciously crafted web content may lead to arbitrary code execution.
The vulnerabilities are so fresh off the bat that they don’t even have CVSS ratings yet. Apple with its policy of not disclosing or discussing vulnerabilities unless there’s a patch readily available is urging customers to update their devices as soon as possible as the news of them being actively exploited massively undermines Apple’s claims of being great at device security.
Overall, the company released eight security advisories on May 18, covering a total of 199 CVEs in other Apple products including macOS Big Sur, Vetnure and Monterey. Out of these, 39 vulnerabilities affect iOS 16.5 and iPadOS 16.5. A vulnerability on the Apple Watch has also been discovered, by a Chinese high-school student named Zitong Wu.
Exploitation can lead to anything from arbitrary code execution (in some cases, with pernel privileges) to the restoration of deleted photos, apps accessing sensitive information, privacy permissions granted to one app being accessible by another malicious one and information leaks including location data and much more.
The exploitation of the aforementioned Apple Watch vulnerability could lead to an attacker being able to view user photos or contacts via accessibility features, but it does require physical access.
In addition to causing problems across the board, the news of such vulnerabilities in the Webkit engine might open Apple to considering switching to other browser engines or at least allowing them on its platforms. That said, most of these vulnerabilities still require Apple the pick up the slack and get its security practices in place.
In the News: Nvidia announce RTX 4060 and RTX 4060Ti for $299 and $399