Apple has just distributed upgrades for all compatible Macs and mobile devices running the most recent versions of their operating systems.
Oh, and tvOS also receives an upgrade, however Apple’s TV platform becomes tvOS 16.3.2. (no bulletin).
Evidently, tvOS received a product-specific functionality fix recently (one stated on Apple’s security page with no additional information). This update contains no published CVE entries, indicating that no security updates have been reported for Apple TVs (16.3.1).
As we’ve seen before, iOS 15 and iOS 12 mobile devices get nothing, but whether that’s because they’re resistant to this flaw or because Apple hasn’t patched them yet is unknown.
What Sort of Zero-Day Is It?
Given that the Safari browser has been updated on the pre-previous and pre-pre-previous versions of macOS, we assume that older mobile devices will eventually receive patches as well; however, you’ll need to keep an eye on Apple’s official HT201222 Security Updates portal to determine when they become available.
As stated in the title, there is another issue that “smells like spyware or a jailbreak” due to the fact that all official updates contain a fix for the CVE-2023-23529 vulnerability.
This vulnerability is a bug in Apple’s WebKit component characterised as Processing maliciously designed web content may lead to arbitrary code execution.
The flaw also receives Apple’s typical euphemism for “this is a zero-day hole that criminals are currently exploiting for nefarious purposes, and you can imagine what those may be,” specifically the statement that Apple is aware of a report that this vulnerability may have been actively exploited.
Keep in mind that WebKit is a low-level operating system component that is responsible for processing data collected from external web servers so that it may be shown by Safari and hundreds of other web-based applications.
Therefore, the term arbitrary code execution refers to remote code execution, or RCE.
Web-based RCE exploits typically enable attackers to lead you to a booby-trapped website that appears completely normal and harmless, while implanting malware as a side consequence of your browsing the site.
A web RCE often does not trigger any pop-ups, warnings, download requests, or other visible signals that you are undertaking risky behaviour, so the attacker does not need to catch you off guard or fool you into taking the type of online risk that you would ordinarily avoid.
This is why this type of attack is commonly known as a drive-by download or install.
Simply viewing a website, which should be safe, or launching an app that relies on web-based material for any of its pages (such as its splash screen or help system) could be sufficient to infect your device.
Remember that even non-Apple browsers such as Firefox, Chrome, and Edge are required by Apple’s AppStore restrictions to use WebKit on Apple’s mobile devices.
If you install Firefox (which has its own browser “engine” known as Gecko) or Edge (based on an underlying layer known as Blink) on your Mac, these alternative browsers do not use WebKit and are therefore immune to WebKit problems.
(Note that this does not protect you from security issues, since Gecko and Blink may bring their own extra bugs, and as many Mac software components utilise WebKit regardless of whether you use Safari or not.)
On iPhones and iPads, however, all browsers, regardless of vendor, are compelled to use the operating system’s WebKit substrate; hence, all browsers, including Safari, are theoretically susceptible to WebKit bugs.
What to do?
If you own one of the Apple products listed above, run an update check immediately.
Thus, if you already have the update, you can rest assured that you’re protected, but if your device hasn’t reached the front of the download line yet (or if you’ve disabled automatic updates by accident or purpose), you’ll be offered the upgrade immediately.
Apple menu > About this Mac > Software Update on a Mac. On an iDevice, Settings > General > Software Update is the path.
If your Apple product isn’t on the list, particularly if you’re still using iOS 15 or iOS 12, there’s little you can do right now. However, we recommend keeping a watch on Apple’s HT201222 website in the coming days in case your product is affected and receives an update.
Given how firmly Apple locks down its mobile devices to prevent you from using programmes from anywhere beyond the App Store, over which it exercises complete commercial and technical control, you may expect…
…bugs that allow criminals to inject unauthorised code onto Apple phones are in high demand, as RCEs are the only reliable technique for attackers to infect a device with malware, spyware, or other cyberzombie programming.