Multiple Apple Products Vulnerabilities with New Zero-Day Flaw

Zero day Flaw apple

Multiple Apple Products Vulnerabilities with New Zero-Day Flaw

Product and affected versions:
– iOS versions prior to 16.3.1
– iPadOS versions prior to 16.3.1
– macOS Ventura versions prior to 13.2.1
– Safari versions prior to 16.3.1
Severity and CEV ID:
– Type confusion bug in WebKit browser engine (CVE-2023-23529)
– Use-after-free issue in Kernel (CVE-2023-23514)
Vulnerability:
– CVE-2023-23529 is a type confusion bug in the WebKit browser engine that could be triggered when processing maliciously crafted web content, allowing arbitrary code execution.
– CVE-2023-23514 is a use-after-free issue in the Kernel that could allow a rogue app to execute arbitrary code with the highest privileges.
How attack works:
– For CVE-2023-23529, attackers can craft a malicious web content that triggers the vulnerability when it is processed by the WebKit browser engine. This can allow the attacker to execute arbitrary code on the victim’s device.
– For CVE-2023-23514, attackers can use a rogue app to exploit the use-after-free issue in the Kernel to execute arbitrary code with the highest privileges.
Remediations:
– Apple has released security updates for iOS, iPadOS, macOS, and Safari to address the vulnerabilities. Users are advised to update their devices to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 as soon as possible.
– It is also recommended to keep all software and apps up-to-date to avoid potential vulnerabilities and exploit attempts.
Reference:
https://support.apple.com/en-us/HT213635
https://support.apple.com/en-us/HT213638
https://thehackernews.com/2023/02/apple-patches-zero-day-vulnerability.html