Apple Patches Exploited Vulnerability
Last Updated: 2023-02-13 20:47:36 UTC
by Johannes Ullrich (Version: 1)
Apple today released updates for Safari, iOS, iPadOS, MacOS, tvOS, and watchOS. Security details are only available for Safari, iOS, iPadOS, and macOS. One vulnerability being patched across all three operating systems is already being exploited:
CVE-2023-23529: This is a critical vulnerability that is already actively exploited. The type confusion vulnerability in webKit and it is already exploited. It may be exploited by the user visiting a malicious web page. It affects Safari, iPadOS, iOS as well as MacOS.
CVE-2023-23514: A kernel vulnerability that may allow an application installed on the device to execute arbitrary code with kernel privileges. A code achieving command execution via CVE-2023-23529 could use this vulnerability to escalate privileges and escape the Safari sandbox. iPadOS, iOS, and MacOS are affected.
CVE-2023-23522: This vulnerability in Shortcuts may allow an app to observe unprotected user data. It only affects macOS.
Details for tvOS and WatchOS will be released later. These operating systems may be affected by at least the WebKit and the Kernel vulnerability above.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu