Apple recently patched two zero-day vulnerabilities in iOS, iPadOS and macOS that allow cybercriminals to hack virtually any Apple device. These are WebKit and kernel vulnerabilities discovered by third parties.
The discovered zero-day vulnerabilities may already be actively exploited, Apple indicated in a security alert. The most significant zero-day vulnerability discovered is CVE-2023-23529 in WebKit. This vulnerability can be used by cybercriminals to crash the OS on an Apple device and execute unauthorized code on these devices. The latter after opening a malicious Web page.
Not only iOS and iPad OS are affected by this vulnerability, also macOS. In the latter case, version 16.3.1 of the Safari web browser for macOS Big Sur and Monterey is also affected. Safari is known to cybercriminals as an ideal gateway to other data on Apple devices.
The second zero-day vulnerability found involves a vulnerability in the kernel. This vulnerability, CVE-2023-23514, can also lead to the running of arbitrary code on Apple devices with kernel privileges.
Apple has since released patches for both vulnerabilities and packaged them in a new update to the respective operating systems. The range of affected Apple devices is quite large: all Apple iPhones starting with the iPhone 8, all iPad Pro models, the iPad Air 3rd generation and up, all iPads 5th generation and up, the iPad mini 5th generation and up, and Mac computers and MacBooks running macOS Ventura.
Vulnerabilities discovered by third parties
The vulnerabilities were discovered by security researchers outside Apple. Apple’s thanks go to an anonymous researcher for the discovery of the Webkit vulnerability and to researchers Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero for the kernel. Thanks are also extended to the digital civil rights organization Citizen Lab from the Munk School at the University of Toronto in Canada for their help.
Apple advises users of the aforementioned devices to update (iOS/iPadOS) 16.3.1 as soon as possible.