Apple has released security updates for iOS and iPadOS, macOS Ventura, and Safari fixing a number of security issues, the most prominent of which is a new zero-day vulnerability in WebKit that could lead to arbitrary code execution. This could compromise sensitive data. There are already reports that this vulnerability is being exploited in the wild.
CVE-2023-23529 and Other Issues
The vulnerability tracked as CVE-2023-23529 is a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content. When exploited it could trigger OS crashes or code execution on the targetted device. Apple has already received reports of the vulnerability possibly being exploited in the wild. As always, Apple is still holding off on releasing any further information. This is done to avoid giving attackers more information to develop their own exploits before users have had the time to update their devices.
Along with CVE-2023-23529, the updates address 2 more vulnerabilities, namely a use after free issue in Kernel (CVE-2023-23514) in iOS, iPadOS, and macOS Ventura and a privacy issue in Shortcuts on macOS Ventura (CVE-2023-23522).
Update Vulnerable Devices
Apple has released the security updates macOS Ventura 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.1. Any older versions will need to be updated, to protect them from the vulnerabilities described above. You can find detailed instructions on how to install the updates on Apple's Security Updates page. Users are urged to apply the updates as soon as possible on any of the following devices:
- Macs running macOS Ventura, macOS Big Sur (Safari update), macOS Monterey (Safari update)
- iPhone 8 and later
- All models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
Discover Vulnerable Apple Devices
Based on the information shared by Apple, our team has created a special Lansweeper report that lists all macOS, iOS, and iPadOS devices that are vulnerable to the vulnerability CVE-2023-23529. This way you have an actionable list of assets that still need to be updated. If you also need to audit for vulnerable Safari installations, you can run the Safari Version Audit report here.