Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads, and Macs.
The zero-day patched today is tracked as CVE-2023-23529 and is a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.
Successful exploitation enables attackers to execute arbitrary code on devices running vulnerable iOS, iPadOS, and macOS versions after opening a malicious web page (the bug also impacts Safari 16.3.1 on macOS Big Sur and Monterey).
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple said when describing the zero-day.
“Apple is aware of a report that this issue may have been actively exploited.”
Apple addressed CVE-2023-23529 with improved checks in iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.
The complete list of impacted devices is quite extensive, as the bug affects older and newer models, and it includes:
- iPhone 8 and later
- iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Macs running macOS Ventura
