On Thursday, Apple released a slew of updates that bring a few new features to the iPhone and Mac. More importantly, the updates include three critical zero-day patches for vulnerabilities known to be actively exploited.
The WebKit bugs span Apple’s family of devices and have been patched in iOS 16.5, iPadOS 16.5, watchOS 9.5, macOS 13.4, and tcOS 16.5, as well as iOS/iPadOS 15.7.6, macOS Monterey 12.6.6, and macOS Big Sur 11.7. 7, as well as Safari 16.5. All updates contain the same five WebKit fixes, three of which are known to have been exploited:
WebKit
- Influence: Processing web content can reveal sensitive information
- Description: An out-of-bounds read error was addressed through improved input validation.
- Web Kit Bugzilla: 255075
CVE-2023-32402: an anonymous researcher
WebKit
- Impact: Processing web content may reveal sensitive information
- Description: A buffer overflow issue was addressed through improved memory handling.
- Web Kit Bugzilla: 254781
CVE-2023-32423: Ignacio Sanmillan (@ulexec)
WebKit
- Influence: A remote attacker may be able to escape the Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
- Description: The issue was addressed through improved border controls.
- Web Kit Bugzilla: 255350
CVE-2023-32409: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
WebKit
- Influence: Processing web content can reveal sensitive information. Apple is aware of a report that this issue may have been actively exploited.
- Description: An out-of-bounds read error was addressed through improved input validation.
- Web Kit Bugzilla: 254930
CVE-2023-28204: an anonymous researcher
WebKit
- Influence: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A use-after-free issue was addressed through improved memory management.
- Web Kit Bugzilla: 254840
CVE-2023-32373: an anonymous researcher
Two of the three zero-day bugs, CVE-2023-28204 and CVE-2023-32373, were previously patched as part of Apple’s first Rapid Security Response updates for iOS and iPadOS (16.4.1(a)) and macOS Ventura ( 13.3 1(a)).
Then go to the Settings app to update your iPhone or iPad General And Software update. On a Mac, go to System Settings, then General and Software update; on pre-Ventura Macs, find the System Preferences app Software update.