iPhone and Mac Users Beware: PoC Exploit for CVE-2023-41993 Zero-Day Released

On October 15, 2023, a security researcher with X (formerly Twitter) alias @po6ix released a proof-of-concept (PoC) exploit for a zero-day vulnerability (CVE-2023-41993) affecting iPhone and Mac users.

The identified bug, boasting a rather intimidating CVSS score of 9.8, takes root in the WebKit browser engine. For the uninitiated, WebKit serves as the backbone for various Apple services, including the widely-used Safari browser.

This vulnerability is no trifle matter. It has the potential to grant a remote attacker the power to run any code of their choosing on the victim’s system. Here’s how it unfolds:

1. An attacker lures the unsuspecting victim into opening maliciously designed web content.
2. This action sets off the vulnerability, allowing the attacker to run any code on the system.

It’s noteworthy that Apple, in its security advisories, acknowledged that earlier versions of iOS, preceding iOS 16.7, might have been prime targets for active exploitation using this flaw. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7,” the company revealed in security advisories describing the security flaws.

The vigilant eyes of Bill Marczak from The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone from Google’s Threat Analysis Group were instrumental in uncovering this flaw.

In a detailed writeup, po6ix shed light on the intricacies of the vulnerability. In layman terms, the bug hinges on a confusion or error regarding data offsets within the WebKit component. This confusion can be manipulated in such a way that it creates a type mismatch between two distinct objects in the system.

Po6ix elaborates on how manipulating this offset allows access to a specific object, the GetterSetter. This manipulation results in a chain reaction that causes a ‘type confusion’ between two different data types, leading to unintended system behavior.

But perhaps the most alarming aspect? This manipulation can be leveraged to change the ID of a specific function, which, in turn, can be exploited to write data out-of-bounds, granting attackers even more power and control.

For those with a keen technical acumen, po6ix has graciously shared a proof-of-concept (PoC) exploit on Github detailing the zero-day CVE-2023-41993 vulnerability’s intricacies.

The tech giant introduced fixes for the zero-day vulnerabilities in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1. These updates not only addressed the WebKit issue but also improved certificate validation checks.