Apple users are being urged to update their devices as soon as possible, following the discovery of multiple Zero-Day vulnerabilities that are actively being exploited by hackers. The vulnerabilities affect various Apple products, including macOS, iOS, Safari, and WebKit, and could allow attackers to execute arbitrary code or gain access to sensitive data.
On Monday, February 13, 2023, Apple released security updates for its macOS, iOS, and Safari operating systems, including a fix for a Zero-Day vulnerability in WebKit. The vulnerability, which is tracked as CVE-2023-23529, can allow the processing of maliciously crafted web content, which could lead to arbitrary code execution.
Although no information has been made public on any attacks using the vulnerability, Apple acknowledged that it had received a report that the issue may have been actively exploited.
Apple credited an anonymous researcher for the discovery of the Zero-Day and thanked Citizen Lab, a digital rights research group at the University of Toronto's Munk School, for its assistance. It is unclear if the Zero-Day was exploited in attacks linked to mercenary spyware vendors.
In addition to the vulnerability, Apple's update also fixes a code execution issue in the kernel (CVE-2023-23514) reported by researchers at Google Project Zero and Pangu Lab, as well as a shortcuts-related flaw that can expose user data (CVE-2023-23522), reported by researchers of the Alibaba Group. The updates also fix the CVE-2023-23514 kernel issue in addition to the WebKit Zero-Day.
Apple has not mentioned any reports of exploitation associated with the two vulnerabilities fixed in the macOS update. However, according to data from Google Project Zero, nine of the Apple product vulnerabilities whose existence came to light in 2022 have been exploited in attacks, including three that impact WebKit. It is worth noting that in many cases, Zero-Day vulnerabilities affecting Apple products are exploited by state-sponsored threat actors, typically working with spyware vendors.
Apple has been taking steps to enhance the security of its products against these types of attacks. Last year, the company announced Lockdown Mode, a feature that should significantly limit the ability to use sophisticated exploits against its customers.
As usual, Apple strongly recommends that users update their devices as soon as possible to ensure they have the latest security fixes. Although the chances that an average user will be targeted with a Zero-Day like this one are slim, it is always better to be safe than sorry.