Apple has fixed two high-severity security flaws that allowed threat actors to run arbitrary code on vulnerable devices, potentially letting them steal sensitive contentor even hijack the entire device.
The first one, tracked as CVE-2023-23514, is a Use After Free Issue, enabling hackers to execute arbitrary code with kernel privileges, affecting iPhones 8 and later, all iPad Pro models, iPad Air 3rd generation and newer, iPad 5th generation and later, and iPad mini 5th generation and later devices.
The flaw was discovered by Xinru Chi of Pangu Lab, and Ned Williamson of Google Project Zero, and was reportedly fixed with better memory management.
Updating the OS
The second flaw, tracked as CVE-2023-23529, was found in WebKit, Apple’s browser engine used in its Safari offering.
It was a type confusion issue, fixed with improved checks, as by processing maliciously (opens in new tab) crafted web content, the device could end up allowing arbitrary code execution by third parties, Apple explained.
The flaw, which Apple says was discoverd by an anonymous researcher, affected iPhones 8 and newer, all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later devices.
Apple confirmed that both flaws are being actively exploited, meaning that hackers are aware of the issues and are using them to gain access to devices and steal valuable content.
Therefore, it is paramount that users apply the fixes as soon as possible, and upgrade to iOS 16.3.1 and iPadOS 16.3.1.
Apple’s browser engine, WebKit, is a popular attack vector for hackers looking to breach Apple devices, as it potentially allows access to the rest of the device’s data.
In 2022, Apple patched nine iOS bugs that “may have been actively exploited”, four of which were found in WebKit, TechCrunch reported. Of the others, three were found in the kernel, one in AppleAVD, and one in IOMobileFrameBuffer.
Via: TechCrunch (opens in new tab)