Apple has released emergency security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-23529, that impacts iOS, iPadOS, and macOS. The flaw is a type confusion issue in WebKit that was addressed by the IT giant with improved checks.
An attacker can achieve arbitrary code execution by tricking the victims into visiting maliciously crafted web content.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple.
This is the first zero-day vulnerability addressed by Apple in 2023. As usual, Apple did not share details about the attacks in the wild exploiting this flaw.
The flaw impacts iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, and Macs running macOS Ventura.
Apple addressed the CVE-2023-23529 flaw with the release of iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.
The company also fixed a use after free issue, tracked as CVE-2023-23514, that resides in the kernel. The vulnerability was addressed with improved memory management.
“An app may be able to execute arbitrary code with kernel privileges” reads the advisory.
The vulnerability was reported by Xinru Chi of Pangu Lab, Ned Williamson of Google Project Zero.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Apple)