Apple has released security updates to combat the exploitation of various WebKit vulnerabilities. These insidious flaws, bearing the names CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, have set their sights on WebKit, the browser engine championed by Apple in its Safari browser.
Apple also insists that other browsers in its iOS ecosystem adhere to the WebKit’s rules.
CVE-2023-32409 makes it possible for a remote attacker to escape the Web Content sandbox, with its discovery credited to the diligent efforts of Clément Lecigne from Google’s Threat Analysis Group and Donncha Ó Cearbhaill from none other than Amnesty International’s Security Lab.
What the other flaws do
CVE-2023-28204 involves the disclosure of sensitive information during the processing of web content, while CVE-2023-32373 enables the execution of arbitrary code through maliciously crafted web content.
iPhones from the 8th generation onward, all the iPad Pros, the iPad Airs from the third generation onward, the iPads starting from the fifth generation, and even the small iPad minis from the fifth generation are all ensnared by this group of vulnerabilities.
At the time of writing, detailed information and severity ratings regarding these newly unveiled CVEs remain elusive. Nevertheless, the reality remains stark and disconcerting—over a billion iPhones and iPads are left exposed and vulnerable, casting a shadow of doubt over Apple’s once-lauded claims of invincibility in the realm of security.
The argument for more competition
While Apple adheres to its policy of withholding disclosure, discussion, or confirmation of security issues until a proper investigation and the availability of patches or releases, the situation’s urgency necessitates swift action.
The revelation of these WebKit vulnerabilities may well fan the flames of discontent, intensifying the clamor for Apple to open its gates to rival browser engines. Such a move would invite more developers to enrich these projects and fortify their security measures.
Rumors suggest that Cupertino might be inching closer to allowing multiple engines if only to appease regulators who fervently advocate for a healthy dose of competition within Apple’s dominion.
Also read: Apple unveils Rapid Security Response update