Tuesday, February 14, 2023

Zero-day Webkit vulnerability (CVE-2023-23529) affecting Apple ecosystem


Apple on Monday announced the release of updates for macOS, iOS and Safari, and they all include a WebKit patch for a new zero-day vulnerability tracked as CVE-2023-23529.

In response to these types of attacks, Apple last year announced Lockdown Mode, a feature that should significantly limit the ability to use sophisticated exploits against its customers. 


Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.


WebKit flaws are also notable for the fact that they impact every third-party web browser that's available for iOS and iPadOS owing to Apple's restrictions that require browser vendors to use the same rendering framework.

Also addressed by the company is a use-after-free issue in the Kernel (CVE-2023-23514) that could permit a rogue app to execute arbitrary code with the highest privileges.

Credited with reporting the issue are Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero. Apple said it resolved the vulnerability with improved memory management.

The updates are available for the following devices:

  • iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Ventura, macOS Big Sur, and macOS Monterey\
From a message I received from my institution:
Apple released emergency security updates on Monday 02/13/2023 to address (among other things) a zero-day vulnerability tracked as CVE-2023-23529, which pertains to a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.

No comments:

Post a Comment

Thermal vacuum testing for the Europa Clipper

NASA (via YouTube ): We'll be back soon. The spacecraft is currently undergoing vacuum testing. I was a huge fan of the livestream for b...