Update now! Apple issues patches for three actively used zero-days

Apple has rolled out security updates for Safari 16.5, watchOS 9.5, tvOS 16.5, iOS 16.5, iPadOS 16.5, iOS 15.7.6, iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Among the security updates were patches for three actively exploited zero-day vulnerabilities. All these actively exploited vulnerabilities are directly related to the WebKit browser engine.

WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

Devices impacted by the identified exploits include:

  • All iPad Pro models
  • iPad Air (3rd generation and later)
  • iPad (5th generation and later)
  • iPad Mini (5th generation and later)
  • iPhone 6s and later models
  • Mac workstations and laptops running macOS, Big Sur, Monterey, and Ventura
  • Apple Watch (series 4 and later)
  • Apple TV 4K and HD

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS:

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE containing the information about the new zero-day is:

  • CVE-2023-32409: An issue where remote attacker may be able to break out of Web Content sandbox was addressed with improved bounds checks.

The notes about the security updates also revealed some information about the Apple’s Rapid Security Response (RSR) update we reported about earlier this month.

RSR is a new type of software patch delivered between Apple’s regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They’re meant to make the deployment of security improvements faster and more frequent.

We now know that the CVEs patched in that RSR update are listed as:

  • CVE-2023-28204: An out-of-bounds read issue in WebKit was addressed with improved input validation. Processing web content may disclose sensitive information.
  • CVE-2023-32373: A use-after-free issue in WebKit which was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.