Headline
Update now! Apple fixes actively exploited vulnerability and introduces new features
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: macOS
Tags: iOS
Tags: iPadOS
Tags: watchOS
Tags: tvOS
Tags: Studio Display
Tags: CVE-2023-23529
Tags: type confusion
Tags: emoji
Apple has released security updates and new features for several of its products, including a fix for an actively exploited vulnerability.
(Read more…)
The post Update now! Apple fixes actively exploited vulnerability and introduces new features appeared first on Malwarebytes Labs.
Posted: March 30, 2023 by
Apple has released security updates for several products. Most notably one of the updates fixes an actively exploited vulnerability in the WebKit component of iOS 15.7.4 and iPadOS 15.7.4 that was fixed earlier in macOS Ventura 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.
You can find the specific security content for the devices you’re interested in by following the links below:
- macOS Ventura 13.3
- Safari 16.4
- Studio Display Firmware Update 16.4
- iOS 15.7.4 and iPadOS 15.7.4
- tvOS 16.4
- macOS Big Sur 11.7.5
- iOS 16.4 and iPadOS 16.4
- macOS Monterey 12.6.4
- watchOS 9.4
The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.
How to update your iPhone or iPad.
How to update macOS on Mac.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerability is listed as CVE-2023-23529: a type confusion issue that Apple says has been addressed with improved checks.
Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters), if the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.
Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages.
WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.
There are some other vulnerabilities that make it worth checking if you need to update. The latest iPhone update alone fixes 33 vulnerabilities, some of them could lead to arbitrary code execution. But none of the other fixed vulnerabilities were flagged as having been used in real life attacks.
For iOS 16.4 users that don’t consider security their first priority, you may be convinced to update by looking at all the new features that were introduced in iOS 16.4. Apparently Apple also found it more important to notify me on my iPad about the number of new emojis (21) first.
“This update introduces 21 new emoji and includes other enhancements, bug fixes, and security updates for your iPad.”
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
RELATED ARTICLES
Related news
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. The three security shortcomings are listed below - CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with
Apple on Monday backported fixes for an actively exploited security flaw to older iPhone and iPad models. The issue, tracked as CVE-2023-23529, concerns a type confusion bug in the WebKit browser engine that could lead to arbitrary code execution. It was originally addressed by the tech giant with improved checks as part of updates released on February 13, 2023. An anonymous researcher has been
A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
Red Hat Security Advisory 2023-0902-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-0903-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23529: A vulnerability was found in WebKitGTK. This issue occurs when processing maliciously crafted web content in WebKit. This may, in theory, allow a remote attacker to create a specially crafted web page, trick the victim into opening it, trigger type confusion, and execute arbitrary code on the target system.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23529: A vulnerability was found in WebKitGTK. This issue occurs when processing maliciously crafted web content in WebKit. This may, in theory, allow a remote attacker to create a specially crafted web page, trick the victim into opening it, trigger type confusion, and execute arbitrary code on the target system.
Debian Linux Security Advisory 5352-1 - An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Debian Linux Security Advisory 5351-1 - An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Hey 👋 there, cyber friends! Welcome to this week's cybersecurity newsletter, where we aim to keep you informed and empowered in the ever-changing world of cyber threats. In today's edition, we will cover some interesting developments in the cybersecurity landscape and share some insightful analysis of each to help you protect yourself against potential attacks. 1. Apple 📱 Devices Hacked with
By Deeba Ahmed If you are using an Apple product, it is time to update it right now and make sure the automatic updates are enabled. This is a post from HackRead.com Read the original post: Update Now: iOS Devices Receive Vital Security Updates from Apple