Apple has released security updates for its iOS, iPadOS, macOS, and Safari products to address a zero-day vulnerability that has been actively exploited in hacker attacks.
Tracked as CVE-2023-23529, the bug is a type confusion issue in the Webkit browser engine that can be used by a remote attacker to achieve remote code execution by tricking a victim into visiting a specially crafted website. This type confusion issue was addressed with improved checks, the iPhone maker said.
The zero-day affects iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later, Macs running macOS Ventura.
Apple did not provide any details regarding attacks this flaw has been exploited in, only saying that “is aware of a report that this issue may have been actively exploited.”
Besides CVE-2023-23529, the tech giant patched a use-after-free issue (CVE-2023-23514) within OS kernel that could be abused by a local application to execute arbitrary code with kernel privileges.
Last month, Apple issued security updates for macOS, iOS, iPadOS, and WatchOS, to address a zero-day vulnerability in WebKit impacting older devices running iOS v12.
Tracked as CVE-2022-42856, the zero-day is type confusion issue that allows a remote attacker to achieve remote code execution by tricking the victim into visiting a malicious website.
