Apple has released information about the new security content of macOS Ventura 13.2.1 and of iOS 16.3.1 and iPadOS 16.3.1.
Most prominent is a vulnerability in WebKit that may have been actively exploited. In December, 2022, we warned our readers about another actively exploited vulnerability in Apple’s WebKit.
The currently patched vulnerability was a type confusion issue that Apple says has been addressed with improved checks.
Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let's say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters). If the program doesn't properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.
Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages.
Mitigation
Updates are available for macOS Ventura, iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
The updates should all have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level.
How to update your iPhone or iPad.
Since the vulnerability we’ll discuss below is already being exploited, it's important that you update your devices as soon as you can.
There may be one exception to this rule. Reportedly users of Google Photos on iPhone have noticed that the update causes Google Photos to break. These users may want to wait for Apple to fix this and in the meantime be extra careful when clicking links.
If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.
Vulnerabilities
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVEs patched in these updates are:
CVE-2023-23514: Apple addressed a use after free issue by implementing improved memory management. Use after free is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This vulnerability could have allowed an app to execute arbitrary code with kernel privileges.
CVE-2023-23522: This issue only applies to macOS Ventura. Apple addressed a privacy issue by implementing improved handling of temporary files. An installed app could have observed unprotected user data.
CVE-2023-23529: This is the bug that was reported it might be actively exploited. It can be found in WebKit. WebKit is Apple’s web rendering engine that powers Safari and renders webpages in other apps.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.