Skip to content

Apple fixes recently disclosed WebKit zero-day

  • by
  • 3 min read

Apple has released security updates to address an actively exploited Webkit vulnerability on older iPhones and iPads. While the bug has already been fixed for iOS 16, this update addresses the issue for iOS 15.7.4 and iPadOS 15.7.4 with improved checks. 

Affected devices by the vulnerability, tracked as CVE-2023-23529 include all models of the iPhone 6s and iPhone 7, the first-generation iPhone SE, iPad Air 2, fourth-generation iPad Mini and seventh-generation iPod touch. 

As for the bug itself, it’s a Webkit-type confusion issue that attackers can exploit to trigger OS crashes and gain arbitrary code execution privileges on infected iOS and iPadOS devices after tricking the user into opening malicious web pages. 

The first-generation iPhone SE is one of the affected devices in this update. | Source: Apple

Apple is aware that the vulnerability has been actively exploited in the wild but is yet to release any information on the exploit itself. This is standard procedure for Apple when disclosing security patches for already exploited zero-day vulnerabilities as withholding such information gives customers more time to update their devices while slowing down potential threat actors at the same time. 

That said, due to the nature of the vulnerability it’s highly likely that it was only exploited in targeted attacks only. Regardless, it’s advised that users owning impacted devices install the security update as soon as possible to block targetting attempts. 

Other fixes in this security update include the following.

Affected App/ServiceVulnerability CVE CodeDescription
Accessibility CVE-2023-23541Addressed a privacy issue with improved private data redaction for log entries.
Calendar CVE-2023-27961Multiple validation issues were addressed to prevent info extraction.
CameraCVE-2023-23543Additional restrictions placed on app state observability.
CommCenterCVE-2023-27936Addressed out-of-bounds write issue with improved input validation.
Find MyCVE-2023-23537Addressed a privacy issue with improved private data redaction for log entries.
FontParserCVE-2023-27956Added better memory handling.
Identity ServicesCVE-2023-27928Addressed a privacy issue with improved private data redaction for log entries.
ImageIOCVE-2023-27946Memory out-of-bounds issue addressed with improved bounds checking.
ImageIOCVE-2023-23535Added better memory handling.
KernelCVE-2023-27941A validation issue was addressed with improved input sanitation.
KernelCVE-2023-27969A use-after-free issue was addressed with improved memory management.
Model I/OCVE-2023-27949Memory out-of-bounds issue addressed with improved input validation.
NetworkExtensionCVE-2023-28182Addressed an issue with improved authentication.
ShortcutsCVE-2023-27963Addressed an issue with additional permission checks.
WebKitCVE-2023-27954Addressed an issue by removing origin information.

In the News: Pinduoduo app gained unauthorised access to devices: Kaspersky

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: