Security news that informs and inspires

Apple Fixes Three Actively Exploited WebKit Flaws


Apple has released patches that address three actively exploited vulnerabilities impacting certain Mac, iPhone and Safari users.

The three flaws exist in WebKit, the web browser engine developed by Apple and used by Safari, Mail, App Store, and many other apps on macOS, iOS and Linux. The vulnerabilities (CVE-2023-32409, CVE-2023-28204 and CVE-2023-32373) were fixed in the iOS 16.5, macOS Ventura 13.4, Safari 16.5 (available for macOS Big Sur and macOS Monterey), watchOS 9.5 and tvOS 16.5 security releases, disclosed on Thursday.

For all three bugs, Apple said it is “aware of a report that this issue may have been actively exploited.”

The flaw tied to CVE-2023-32409 is a sandbox escape potentially allowing a remote attacker to break out of a Web Content sandbox. According to Apple, the issue was discovered by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab, and has been addressed with improved bounds checks.

Apple also fixed a use-after-free issue (CVE-2023-32373) in WebKit that could allow an attacker to process maliciously crafted web content in order to launch an arbitrary code execution attack. The issue was mitigated with improved memory management. Finally, an out-of-bounds read issue (CVE-2023-28204) that could allow sensitive information to be disclosed while processing web content was fixed by Apple with improved input validation.

These latter two issues, reported by anonymous researchers, were first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a), Apple’s new type of software release for iPhones, iPads and Macs that aims to ship security fixes to end users more frequently.

The three actively exploited flaws are only the latest to be patched by Apple. In April, the company warned of two zero days that were being actively exploited in iOS, macOS, and Safari, including one in the IOSurfaceAccelerator (CVE-2023-28206) and the other in the WebKit framework (CVE-2023-28205). And in March, Google TAG and Amnesty International disclosed a pair of spyware campaigns that were leveraging iOS and Android zero day exploit chains to target victims across the globe.