February 21, 2024
Apple Fixed a Zero-Day Vulnerability that Actively Exploited WebKit

A WebKit patch for a zero-day vulnerability identified as CVE-2023-23529 is included in the macOS, iOS, and Safari updates that Apple has released.

A malicious website can be accessed by the targeted user to take advantage of the zero-day, which is known as a type confusion issue, and execute arbitrary code. 

The vulnerability CVE-2023-23529 was discovered by an unidentified researcher and no details about the attacks that took advantage of the flaw have been released.

Nevertheless, a note from Apple acknowledged the support provided by Citizen Lab at the Munk School of the University of Toronto. The connection between this help and CVE-2023-23529 is unknown, but if it was, the zero-day might have been used in assaults connected to companies that sell mercenary spyware, whose operations Citizen Lab frequently reports on. 

Apart from the zero-day vulnerability, the most recent macOS update from Apple, Ventura 13.2.1, addresses a kernel code execution issue (CVE-2023-23514) that was reported by researchers from Google Project Zero and Pangu Lab. Additionally, it addresses a shortcuts-related vulnerability that could expose user data (CVE-2023-23522) that was reported by researchers from the Alibaba Group.

Apple makes no mention of any reports of these two vulnerabilities being exploited

State-sponsored threat actors frequently work with spyware vendors to take advantage of zero-day vulnerabilities that impact Apple products. 

Last year, Apple introduced Lockdown Mode, a feature that should drastically reduce the capacity to use sophisticated exploits against its customers, in response to these kinds of attacks. 

Data from Google Project Zero indicates that three of the nine Apple product vulnerabilities that were discovered in 2022 have already been used in attacks. 

Apple: Cybercriminals May Be Targeting iPhones Using This WebKit Vulnerability

Apple patches two actively exploited vulnerabilities in WebKit, the Safari browser engine.

It is time for an update: Apple is fixing two vulnerabilities that hackers could be actively using to target macOS, iPhone, and iPad devices. 

In response to the threat, which impacts WebKit, the browser engine used by Safari, the company today released security updates.  

Working for Google’s Threat Analysis Group, which guards against state-sponsored hacking organizations and commercial surveillance firms, security researcher Clément Lecigne informed Apple about the vulnerabilities. (A few days ago, Lecigne discovered another zero-day vulnerability in the Chrome browser made by Google; this was also fixed.) 

About the attack, Apple has not disclosed any information. However, processing harmful web content can cause vulnerabilities to open up. This implies that the hackers were sending booby-trapped web pages to their victims—possibly via a phishing email or website—to exploit the vulnerabilities. 

Sensitive data may be revealed by the software as a result of the first flaw, CVE-2023-42916, which allows the Webkit engine to be controlled to read memory beyond its intended boundaries. In the meantime, WebKit can be tricked into executing malicious code by exploiting the second vulnerability, CVE-2023-42917, which is related to memory corruption. It appears that malware could be covertly downloaded to a device using this vulnerability.

Or perhaps hackers combined the two vulnerabilities to take control of iPhones. Following the release of iOS 16.7.1 on October 10, Apple stated that the vulnerabilities “may have been exploited against versions of iOS.” 

iOS version 17.1.2 will include Apple’s patch. By navigating to Settings > General > Software Update, users can update their iPhones. If you have enabled automatic updates, the phone can also repair itself. Apart from iOS, Apple has also released patches for Safari, iPadOS, and macOS Sonoma.

Leave a Reply

Your email address will not be published. Required fields are marked *