Actively exploited WebKit flaw patched in iOS 16.3.1 - Mobile Security Briefing 2023.082

Apple released an emergency update to iOS, iPadOS, macOS and Safari on 13 Feb 2023 to patch a security flaw in WebKit, a web browser engine developed by Apple which powers many apps in the Apple ecosystem and beyond. The Security update page was updated on 20 Feb 2023 to include information on additional security flaws patched in the software update.

If you haven’t updated your Apple devices yet, you should stop reading this article and upgrade immediately! Given there are billions of devices running Apple software, it is unlikely your individual device is being targeted but it’s possible. And there are certainly a set of highly targeted users including heads of state, journalists, human rights defenders, and dissidents that are at risk of “state-sponsored mercenary spyware” who should not only update immediately but also consider Apple’s Lockdown Mode.

One of the key things I look for in Apple security update details is the following statement:

Apple is aware of a report that this issue may have been actively exploited.

This is the really warm and fuzzy way of saying that the security flaw isn’t a theoretical flaw but is in fact being actively exploited now.

If you’re looking for additional details, unfortunately there’s not much out there yet. The impact from Apple is:

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

which means an attacker simply needs you to click on a web link they control and they could then execute [their] arbitrary code on your device. Eventually, the public CVE-2023-23529 will be updated. I tried to access the WebKit Bugzilla ticket #251944 but after registering an account, I still got the big no sir!

You are not authorized to access bug #251944.