Apple Addresses Actively Exploited WebKit Zero-Day for Older iPhones and iPads
March 27, 2023
Apple has recently released security updates aimed at addressing an actively exploited zero-day bug for older iPhones and iPads. The vulnerability, identified as CVE-2023-23529, is a WebKit type confusion issue that Apple had initially fixed for newer iPhone and iPad devices on February 13, 2023. The vulnerability allows potential attackers to trigger operating system crashes and gain code execution on compromised iOS and iPadOS devices if successfully exploited.
Threat actors could execute arbitrary code on targeted iPhones and iPads after deceiving victims into opening malicious web pages. This bug also impacts Safari 16.3.1 on macOS Big Sur and Monterey. Apple describes the zero-day as, "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."
Apple has also addressed the zero-day in iOS 15.7.4 and iPadOS 15.7.4 with enhanced checks. The list of affected devices includes iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) devices. Although Apple acknowledges reports that this vulnerability has been exploited in attacks, the company has not yet published information regarding these incidents. This is standard procedure for Apple when disclosing security patches for zero-days exploited in the wild.
By restricting access to technical details, Apple allows as many users as possible to secure their devices and slows down attackers' efforts to develop and deploy additional exploits targeting vulnerable devices. While the CVE-2023-23529 zero-day was likely only used in targeted attacks, it is highly recommended to install the security updates as soon as possible to block potential attack attempts targeting users of iPhone and iPad devices running older software.
In January, Apple also backported patches for a remotely exploitable zero-day flaw (reported by Clément Lecigne of Google's Threat Analysis Group) to older iPhones and iPads.
Related News
- CISA Adds Four Security Vulnerabilities to Known Exploited List
- Apple Patches Zero-Day Vulnerability Used in iPhone, iPad, and Mac Attacks
Latest News
- Microsoft Issues Emergency Update for Windows Snipping Tool Flaw
- Microsoft Offers Guidance on Detecting Outlook Zero-Day Exploits
- Procter & Gamble Confirms Data Breach Through GoAnywhere Zero-Day Exploit
- City of Toronto Confirms Data Theft, Clop Ransomware Gang Claims Responsibility
- Exploit Released for Veeam Bug Allowing Cleartext Credential Theft
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.