Apple warns of three WebKit vulns under active exploitation, dozens more CVEs across its range
High school student and Amnesty International named among bug-finders
Apple has issued a bushel of security updates and warned that three of the flaws it's fixed are under active attack.
The three are CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all of which impact the WebKit browser engine that Apple champions and employs in its Safari browser – and demands be used by other browsers on iOS.
CVE-2023-32409 means "A remote attacker may be able to break out of Web Content sandbox." Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab found the flaw.
Just by the way, who knew Amnesty had a Security Lab?
CVE-2023-28204 is described as "Processing web content may disclose sensitive information."
CVE-2023-32373 means "Processing maliciously crafted web content may lead to arbitrary code execution."
All three are found in iPhone 8 and later, all models of iPad Pro, iPad Air from its third generation to current models, iPads from the fondleslab's fifth gen to the present, and iPad minis from fifth generation machines to the present.
At the time of writing the CVEs are all so fresh that detailed info is not available, so severity ratings are also absent.
But suffice to say that more than a billion iPhones and iPads are vulnerable to these flaws, so news that Apple thinks they're being exploited is most unwelcome. It also rather undermines Apple's boast that it's super good at security.
Apple also disclosed myriad other flaws – The Register has counted 199 mentions of CVEs in the eight security advisories the fruit cart issued on May 18.
Those advisories detail problems in macOS Big Sur, Ventura, and Monterey, recent versions of which can leak information location and worse.
39 CVEs are listed as impacting iOS 16.5 and iPadOS 16.5. Among the issues are arbitrary code execution, sometimes with kernel privileges, restoration of deleted photos, apps accessing sensitive location information, privacy permissions granted to one app being usable by a malicious app.
Plenty of the CVEs are found across Apple's OSes, but some are device specific.
watchOS 9.5, for example, suffers from CVE-2023-32417, which means "An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features." That one was discovered by Zitong Wu (吴梓桐) from Zhuhai No.1 High School (珠海市第一中学) in Gaundong, China. Go to the top of the class, Mr Wu!
- Modest Apple talks up these 'incredible' advances in iOS
- Hey Apple, what good is a status page if you only update it after the outage?
- Millions of mobile phones come pre-infected with malware, say researchers
- Apple finally pro giving Pro iPads these Pro apps
Apple policy is not to "disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available." In accordance with that stance, Apple has urged users to implement updates ASAP.
News of the WebKit flaws has the potential to increase agitation for Apple to open its products to rival browser engines, and perhaps therefore to the efforts of more developers who work to improve those projects' security.
Cupertino is reportedly edging towards allowing multiple engines – if only to satisfy regulators who feel its platforms could do with a dose of competition.
But such an approach won't fix flaws like the watchOS mess described above: Apple must own some of these problems all by itself. ®