Apple has released security updates to address an actively exploited Webkit vulnerability on older iPhones and iPads. While the bug has already been fixed for iOS 16, this update addresses the issue for iOS 15.7.4 and iPadOS 15.7.4 with improved checks.
Affected devices by the vulnerability, tracked as CVE-2023-23529 include all models of the iPhone 6s and iPhone 7, the first-generation iPhone SE, iPad Air 2, fourth-generation iPad Mini and seventh-generation iPod touch.
As for the bug itself, it’s a Webkit-type confusion issue that attackers can exploit to trigger OS crashes and gain arbitrary code execution privileges on infected iOS and iPadOS devices after tricking the user into opening malicious web pages.
Apple is aware that the vulnerability has been actively exploited in the wild but is yet to release any information on the exploit itself. This is standard procedure for Apple when disclosing security patches for already exploited zero-day vulnerabilities as withholding such information gives customers more time to update their devices while slowing down potential threat actors at the same time.
That said, due to the nature of the vulnerability it’s highly likely that it was only exploited in targeted attacks only. Regardless, it’s advised that users owning impacted devices install the security update as soon as possible to block targetting attempts.
Other fixes in this security update include the following.
Affected App/Service | Vulnerability CVE Code | Description |
---|---|---|
Accessibility | CVE-2023-23541 | Addressed a privacy issue with improved private data redaction for log entries. |
Calendar | CVE-2023-27961 | Multiple validation issues were addressed to prevent info extraction. |
Camera | CVE-2023-23543 | Additional restrictions placed on app state observability. |
CommCenter | CVE-2023-27936 | Addressed out-of-bounds write issue with improved input validation. |
Find My | CVE-2023-23537 | Addressed a privacy issue with improved private data redaction for log entries. |
FontParser | CVE-2023-27956 | Added better memory handling. |
Identity Services | CVE-2023-27928 | Addressed a privacy issue with improved private data redaction for log entries. |
ImageIO | CVE-2023-27946 | Memory out-of-bounds issue addressed with improved bounds checking. |
ImageIO | CVE-2023-23535 | Added better memory handling. |
Kernel | CVE-2023-27941 | A validation issue was addressed with improved input sanitation. |
Kernel | CVE-2023-27969 | A use-after-free issue was addressed with improved memory management. |
Model I/O | CVE-2023-27949 | Memory out-of-bounds issue addressed with improved input validation. |
NetworkExtension | CVE-2023-28182 | Addressed an issue with improved authentication. |
Shortcuts | CVE-2023-27963 | Addressed an issue with additional permission checks. |
WebKit | CVE-2023-27954 | Addressed an issue by removing origin information. |
In the News: Pinduoduo app gained unauthorised access to devices: Kaspersky