Vulnerabilities

Apple Patches Actively Exploited WebKit Zero-Day Vulnerability 

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Published

Apple patches vulnerabilities

Apple on Monday announced the release of updates for macOS, iOS and Safari, and they all include a WebKit patch for a new zero-day vulnerability tracked as CVE-2023-23529.

The zero-day, described as a type confusion issue, can be exploited for arbitrary code execution by getting the targeted user to access a malicious website. 

An anonymous researcher has been credited for reporting CVE-2023-23529 and no information has been made public on the attacks exploiting the vulnerability.

However, one of Apple’s advisories thanked Citizen Lab at the University of Toronto’s Munk School for its assistance. It’s unclear if this assistance was related to CVE-2023-23529, but if it was, the zero-day may have been exploited in attacks linked to mercenary spyware vendors, whose activities are often detailed by Citizen Lab. 

In addition to the zero-day, Apple’s latest macOS update, Ventura 13.2.1, patches a code execution issue in the kernel (CVE-2023-23514) reported by researchers at Google Project Zero and Pangu Lab, as well as a shortcuts-related flaw that can expose user data (CVE-2023-23522), reported by researchers of the Alibaba Group.

Apple does not mention any reports of exploitation associated with these two vulnerabilities. 

The iOS and iPadOS 16.3.1 updates also fix the CVE-2023-23514 kernel issue in addition to the zero-day. The latest Safari update, version 16.3.1, only fixes the zero-day flaw.

In many cases, zero-day vulnerabilities affecting Apple products are exploited by state-sponsored threat actors, typically working with spyware vendors. 

Advertisement. Scroll to continue reading.

In response to these types of attacks, Apple last year announced Lockdown Mode, a feature that should significantly limit the ability to use sophisticated exploits against its customers. 

According to data from Google Project Zero, nine of the Apple product vulnerabilities whose existence came to light in 2022 have been exploited in attacks, including three that impact WebKit. 

Related: Apple Patches Exploited iOS Vulnerability in Old iPhones

Related: Apple Says WebKit Zero-Day Hitting iOS, macOS Devices

Related: Apple Patches WebKit Code Execution in iPhones, MacBooks

Related: Apple Patches Zero-Day Vulnerability Exploited Against iPhones

In this article:, ,

Related Content

Malware & Threats

Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day

More than 1,400 CrushFTP servers remain vulnerable to an actively exploited zero-day for which PoC has been published.

5 days ago
Palo Alto Networks

Malware & Threats

Palo Alto Networks Releases Fixes for Firewall Zero-Day as Attribution Attempts Emerge

Palo Alto Networks has started releasing hotfixes for the firewall zero-day CVE-2024-3400, which some have linked to North Korea’s Lazarus. 

April 15, 2024

Malware & Threats

Microsoft Patches Two Zero-Days Exploited for Malware Delivery

Microsoft patches CVE-2024-29988 and CVE-2024-26234, two zero-day vulnerabilities exploited by threat actors to deliver malware.

April 10, 2024

Government

Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

Ivanti releases a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott vowing to fix the entire security organization.

April 4, 2024

Malware & Threats

Chrome Update Patches Zero-Day Vulnerabilities Exploited at Pwn2Own

Google ships a security-themed Chrome browser refresh to fix flaws exploited at the CanSecWest Pwn2Own hacking contest.

March 27, 2024

Malware & Threats

Google Report: Despite Surge in Zero-Day Attacks, Exploit Mitigations Are Working

Despite a surge in zero-day attacks, data shows that security investments into OS and software exploit mitigations are forcing attackers to find new attack...

March 27, 2024

Mobile & Wireless

Apple Blunts Zero-Day Attacks With iOS 17.4 Update

Apple rolls out urgent patches to fix multiple security flaws in its flagship iOS platform and warned about zero-day exploits in the wild.

March 5, 2024

Malware & Threats

Windows Zero-Day Exploited by North Korean Hackers in Rootkit Attack

North Korean group Lazarus exploited AppLocker driver zero-day CVE-2024-21338 for privilege escalation in attacks involving FudModule rootkit.

February 29, 2024

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version