It allows remote injection and execution of malicious code. The WebKit browser engine can be compromised with specially designed websites. Another bug allows executing malicious code with kernel privileges.
Apple has security updates for iPhones, iPads and Macs published. They close a serious zero-day vulnerability that allows malicious code to be injected and executed. According to Apple, there are reports that the vulnerability is already being actively exploited by hackers.
iOS 16.3 and iPadOS 16.3 and earlier and macOS 13.2 and earlier are affected. Since the error is in the WebKit browser engine, Safari 16.3 and earlier are also vulnerable. According to the release notes, all an attacker needs to do is trick the victim into viewing specially crafted web content using WebKit or Safari, respectively. So, on iOS and iPadOS, third-party browsers should also be vulnerable to remote code execution because they don’t have their own browser engine due to Apple’s limitations.
Apple also plugs critical kernel vulnerability
Apple users should therefore install the available updates on iOS 16.3.1, iPadOS 16.3.1 and macOS 13.2.1 as soon as possible. Apple also provides the bug-fixed Safari version 16.3.1 for users of macOS Big Sur and macOS Monterey.
Another vulnerability in the kernel affects iOS, iPadOS and macOS. Here a specially crafted app can be used to run arbitrary code with kernel privileges. The trigger is a use-after-free bug that Apple says it has fixed with improved memory management.
macOS Ventura users will also receive another fix for the Shortcuts component. It is intended to prevent apps from spying on unprotected user data. For this purpose, the handling of temporary files has been revised.
iOS and iPadOS also get minor bug fixes. Among other things, problems with iCloud settings and Siri have been fixed. In addition, Apple announced that accident detection has been optimized on iPhone 14 and iPhone 14 Pro models.