Active Exploitation of Zero-Day Vulnerabilities in Apple WebKit

Apple has released security updates to address three zero-day vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in Apple WebKit. Apple Webkit is a web browser engine used by Safari and other default browsers in iOS. The vulnerabilities are reportedly being actively exploited.

The vulnerabilities are:

• CVE-2023-32409: A buffer overflow vulnerability could allow a remote attacker to break out of Web Content sandbox.

• CVE-2023-28204: A out-of-bounds read vulnerability could allow a remote attacker to disclose sensitive information.

• CVE-2023-32373: A use-after-free vulnerability could allow an attacker to perform arbitrary code execution after the vulnerable device processes maliciously crafted web content.

The vulnerabilities affect the following product versions:

• iPhone 6s (all models)

• iPhone 7 (all models)

• iPhone SE (1st generation)

• iPad Air 2

• iPad Mini (4th generation)

• iPod Touch (7th generation)

• iPhone 8 and later

• iPad Pro (all models)

• iPad Air 3rd generation and later

• iPad 5th generation and later

• iPad mini 5th generation and later

• Macs running macOS Big Sur, Monterey, and Ventura

• Apple Watch Series 4 and later

• Apple TV 4K (all models)

• Apple TV HD

Users and administrators of affected product versions are advised to update to the latest versions immediately.

Users are also advised to enable automatic software updates if available, by going to Settings > General > Software Updates > Enable Automatic Updates.

More information is available here:

https://support.apple.com/en-sg/HT201222

https://www.theregister.com/2023/05/19/apple_security_alerts/

https://www.bleepingcomputer.com/news/apple/apple-fixes-three-new-zero-days-exploited-to-hack-iphones-macs/

https://securityonline.info/cve-2023-32409-cve-2023-28204-cve-2023-32373-three-zero-day-vulnerabilities-in-apple-products/