Active Exploitation of Zero-Day Vulnerabilities in Apple WebKit

Published on 19 May 2023

Apple has released security updates to address three zero-day vulnerabilities (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in Apple WebKit. Apple Webkit is a web browser engine used by Safari and other default browsers in iOS. The vulnerabilities are reportedly being actively exploited.

The vulnerabilities are:

CVE-2023-32409: A buffer overflow vulnerability could allow a remote attacker to break out of Web Content sandbox.
CVE-2023-28204: A out-of-bounds read vulnerability could allow a remote attacker to disclose sensitive information.
CVE-2023-32373: A use-after-free vulnerability could allow an attacker to perform arbitrary code execution after the vulnerable device processes maliciously crafted web content.

The vulnerabilities affect the following product versions:

iPhone 6s (all models)
iPhone 7 (all models)
iPhone SE (1st generation)
iPad Air 2
iPad Mini (4th generation)
iPod Touch (7th generation)
iPhone 8 and later
iPad Pro (all models)
iPad Air 3rd generation and later
iPad 5th generation and later
iPad mini 5th generation and later
Macs running macOS Big Sur, Monterey, and Ventura
Apple Watch Series 4 and later
Apple TV 4K (all models)
Apple TV HD

Users and administrators of affected product versions are advised to update to the latest versions immediately.

Users are also advised to enable automatic software updates if available, by going to Settings > General > Software Updates > Enable Automatic Updates.

More information is available here:

https://support.apple.com/en-sg/HT201222

https://www.theregister.com/2023/05/19/apple_security_alerts/

https://www.bleepingcomputer.com/news/apple/apple-fixes-three-new-zero-days-exploited-to-hack-iphones-macs/

https://securityonline.info/cve-2023-32409-cve-2023-28204-cve-2023-32373-three-zero-day-vulnerabilities-in-apple-products/