Thursday, December 7, 2023

Apple WebKit Zero-Day Vulnerability Exploited to Hack iPhones, iPads, and Macs

As a result of a new zero-day vulnerability found in Apple products that can be exploited in hacking attacks, Apple has recently released an emergency security update. Here below we have mentioned the devices that are vulnerable:-

  • iPhones
  • iPads
  • Macs

This discovered vulnerability has been identified as CVE-2023-23529, and the vulnerability is categorized as a WebKit confusion issue, which may lead to the exploitation of compromised devices by triggering operating system crashes and gaining code execution. 

Exploitation of Vulnerability

The vulnerability is zero-day, meaning it has not been previously identified or publicly disclosed. The CVE-2023-23529 vulnerability is particularly concerning due to its potential to cause significant damage to compromised devices. 

If exploited, the vulnerability could enable an attacker to execute arbitrary code on the device, resulting in unauthorized access and the potential loss of sensitive data.

The exploitation of this vulnerability occurs when a user opens a malicious web page, which triggers the execution of arbitrary code. It has also been found that the vulnerability affects Safari 16.3.1 on macOS Big Sur and Monterey.

Affected Devices

It is believed that this vulnerability has been actively exploited, and Apple is aware of such a report. The CVE-2023-23529 was addressed by Apple by improving the checks in the following areas:-

  • iOS 16.3.1
  • iPadOS 16.3.1
  • macOS Ventura 13.2.1

Since the bug affects both older and newer models, so, the list of devices that are affected is quite extensive, and here below we have mentioned a few of them:-

  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad Air 3rd gen and later
  • iPad 5th gen and later
  • iPad mini 5th gen and later
  • Macs running macOS Ventura

Apple also recently announced that they have fixed a kernel use after a free vulnerability that is tracked as CVE-2023-23514, in their latest security update. This flaw was reported by two security researchers, Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero.

A potential impact of this flaw would be the implementation of arbitrary code on a Mac or iPhone with kernel privileges.

Apple’s First zero-day Patch of the Year

Despite the company’s acknowledgment of the existence of in-the-wild exploitation reports, it has refrained from releasing any information related to these attacks. The company has not disclosed any details regarding the type of exploitation, and the extent of damage caused.

Apple’s decision to limit access to information regarding the zero-day vulnerability is likely a measure taken to provide as many users as possible with the opportunity to update their devices before cyber attackers can exploit the security flaw.

The company’s actions reflect a commitment to maintaining a high level of security and privacy for its users.

Although the zero-day vulnerability may have only been utilized in specific targeted attacks, it is strongly recommended that users install the emergency updates as soon as possible to prevent any potential future attempts.

Network Security Checklist – Download Free E-Book

Website

Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles