CVE-2023-23529: First zero-day patched by Apple this year

In security updates released today, Apple has fixed the first zero-day this year, with this latest one actively used in attacks against iPhones, iPads, and Macs.

Tracked as CVE-2023-23529, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple said [1, 2]. However, the tech giant has yet to provide any details on the attacks.

Credited with discovering and reporting the issue is an anonymous researcher. Apple noted it addressed the bug with improved checks in iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1.

CVE-2023-23529 affects the below devices

• iPhone 8 and later
• iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Macs running macOS Ventura

The update fixed another security vulnerability (tracked as CVE-2023-23514) affecting the kernel component. The flaw was reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero and allows “an app may be able to execute arbitrary code with kernel privileges.”

Also, an information disclosure vulnerability affecting macOS Ventura (tracked as CVE-2023-23522) only was patched by Apple on this update. The flaw allows a local attacker to obtain sensitive information, caused by a privacy issue in the Shortcuts component. By using a specially-crafted application, an attacker could exploit this vulnerability to observe unprotected user data.

Users are suggested to install today’s security updates as soon as possible.