Apple has launched safety updates to backport patches launched final month, addressing an actively exploited zero-day bug for older iPhones and iPads.
The vulnerability (CVE-2023-23529) is a WebKit sort confusion concern that the corporate fastened on newer iPhone and iPad units on February 13, 2023.
Potential attackers can use it to set off OS crashes and achieve code execution on compromised iOS and iPadOS units following profitable exploitation.
The menace actors can then execute arbitrary code on the focused iPhones and iPads after tricking the victims into opening malicious internet pages (this bug additionally impacts Safari 16.3.1 on macOS Big Sur and Monterey).
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple describes the zero-day. “Apple is aware of a report that this issue may have been actively exploited.”
Apple has additionally addressed the zero-day in iOS 15.7.4 and iPadOS 15.7.4 in the present day with improved checks.
The record of impacted units consists of iPhone 6s (all fashions), iPhone 7 (all fashions), iPhone SE (1st era), iPad Air 2, iPad mini (4th era), and iPod contact (seventh era) units.
First zero-day exploited within the wild patched this 12 months
Even although Apple says it is conscious of studies that this vulnerability has been exploited in assaults, the corporate has but to publish info concerning these incidents.
However, that is normal process for Apple when disclosing safety patches for zero-days exploited within the wild.
Restricting entry to technical particulars permits as many customers as doable to safe their units and slows down attackers’ efforts to develop and deploy further exploits focusing on susceptible units.
While the CVE-2023-23529 zero-day was doubtless solely utilized in focused assaults, it is extremely suggested to put in in the present day’s safety updates as quickly as doable to dam potential assault makes an attempt focusing on customers of iPhone and iPad units operating older software program.
In January, Apple additionally backported patches for a remotely exploitable zero-day flaw (reported by Clément Lecigne of Google’s Threat Analysis Group) to older iPhones and iPads.