Apple Addresses Three New Critical Flaws in WebKit. Update Now!

Threat actors are apparently actively exploiting three new flaws in iOS and macOS, according to the latest security advisory from Cupertino, California. As usual, Apple is offering timely patches that users should prioritize.

The latest round of updates from Apple addresses a plurality of vulnerabilities, some nastier than others, across the company’s entire consumer lineup. Three particular flaws, however, stand out.

Tracked as CVE-2023-32409, a new WebKit flaw affects most iPhones and iPads in circulation today and is said to be exploited by nefarious actors. According to the advisory, lax bound checks in WebKit – the web rendering engine used to display web content– can be exploited by a remote attacker to break out of Web Content sandbox.

The advisory doesn’t say what a hacker could do with these privileges on the target device, only warning that “Apple is aware of a report that this issue may have been actively exploited.”

Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab are credited with discovering and reporting this weakness.

Another pair of shortcomings in WebKit, tracked as CVE-2023-28204 and CVE-2023-32373, are also said to be actively exploited in the wild.

Apple’s wording suggests that the latter bug can be exploited from afar simply by feeding the victim a malicious link.

“Processing maliciously crafted web content may lead to arbitrary code execution.”

If history is any indication, this may imply a zero-click, remote code execution (RCE) exploit – a favorite among spyware developers.

Another notable aspect about these two bugs is that they were already addressed two weeks ago on iOS 16 and macOS 13 as part of Apple’s first Rapid Security Response rollout. The initiative was introduced to enable (and incentivize) customers to patch their devices more swiftly – with faster installation and reboot times – against critical flaws that hackers might be already exploiting.

Apple customers can fix these new security flaws, as well as a plethora of others, by updating to iOS 16.5 and iPadOS 16.5, iOS 15.7.6 and iPadOS 15.7.6, and macOS Ventura 13.4.

iOS update prompt

Mac users who only wish to patch these critical bugs then postpone the OS update can simply update their Safari browser to version 16.5. The full list of security fixes addressed in this week’s rollout can be found on Apple’s Security Updates support page.

As we mentioned time and again, Bitdefender strongly recommends you always apply the latest software patches to fend off any attacks, regardless of your hardware or OS vendor.

As spyware actors have increasingly targeted Apple devices in recent years, users will want to consider deploying a dedicated security solution as well.