New iOS and macOS updates fix severe flaws in iPhones and Macs from the past 10 years

Macworld

On Thursday, Apple released a slew of updates that bring a few new features to the iPhone and Mac. But much more importantly, the updates include three critical zero-day patches for security vulnerabilities that are known to have been actively exploited. The most alarming of the bugs allow a hacker to access personal data and take over your device via a malicious app.

The WebKit flaws span Apple’s family of devices and have been patched in iOS 16.5, iPadOS 16.5, watchOS 9.5, macOS 13.4, and tvOS 16.5, but also iOS/iPadOS 15.7.6, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, as well as Safari 16.5. All of the updates include the same five WebKit fixes, with three of them known to have been exploited:

WebKit

Impact: Processing web content may disclose sensitive informationDescription: An out-of-bounds read was addressed with improved input validation.WebKit Bugzilla: 255075CVE-2023-32402: an anonymous researcher

WebKit

Impact: Processing web content may disclose sensitive informationDescription: A buffer overflow issue was addressed with improved memory handling.WebKit Bugzilla: 254781CVE-2023-32423: Ignacio Sanmillan (@ulexec)

WebKit

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.Description: The issue was addressed with improved bounds checks.WebKit Bugzilla: 255350CVE-2023-32409: Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.Description: An out-of-bounds read was addressed with improved input validation.WebKit Bugzilla: 254930CVE-2023-28204: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.Description: A use-after-free issue was addressed with improved memory management.WebKit Bugzilla: 254840CVE-2023-32373: an anonymous researcher

Two of the three zero day flaws, CVE-2023-28204 and CVE-2023-32373, were previously patched as part of Apple’s first Rapid Security Response updates for iOS and iPadOS (16.4.1 (a)) and macOS Ventura (13.3.1 (a)).

To update your iPhone or iPad, go to the Settings app, then General and Software Update. On a Mac, go to System Settings, then General and Software Update; on pre-Ventura Macs, find the System Preferences app, then Software Update.

iOS, MacOS