Apple's iOS, iPadOS, macOS, and Safari are all under attack from a new zero-day vulnerability

Apple released security upgrades for iOS, iPadOS, macOS, and Safari on Monday to fix a zero-day vulnerability that the company claimed had been actively used in the wild.

The vulnerability, identified as CVE-2023-23529, is a type confusion flaw in the WebKit browser engine that could be triggered by maliciously designed online content and result in arbitrary code execution.

The manufacturer of the iPhone stated that the flaw was fixed with better checks and that it is "aware of a report that this issue may have been actively exploited." The problem was reported by an unnamed researcher, according to reports.

Although it's not immediately clear how the vulnerability is being utilized in real-world assaults, Apple has fixed it twice in as many months, after CVE-2022-42856, which was closed in December 2022.

Due to Apple's constraints that force browser vendors to utilize the same rendering architecture, WebKit defects are particularly remarkable for the fact that they affect every third-party web browser that is accessible for iOS and iPadOS.

The company has also fixed a use-after-free vulnerability in the kernel (CVE-2023-23514) that may allow a malicious app to run arbitrary code with root access.

Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero are credited for reporting the problem. Apple said that better memory management fixed the flaw.

Separately, the most recent macOS update fixes a privacy flaw in Shortcuts that might be used by malware-laden software to "observe unprotected user data." Apple stated that the issue was resolved with better temporary file management.

To reduce risks, users are encouraged to update to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1. The following devices are eligible for the updates:

Apple devices running macOS Ventura, macOS Big Sur, and macOS Monterey, as well as iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation, and iPad mini 5th generation and later

In 2022, Apple fixed a total of 10 zero-days throughout its software, nine of which had been identified as being actively exploited by threat actors. WebKit was the source of four of those bugs.