Apple has released security updates to backport patches released last month, addressing an actively exploited zero-day bug for older iPhones and iPads.
The vulnerability (CVE-2023-23529) is a WebKit type confusion issue that the company fixed on newer iPhone and iPad devices on February 13, 2023.
Potential attackers can use it to trigger OS crashes and gain code execution on compromised iOS and iPadOS devices following successful exploitation.
The threat actors can then execute arbitrary code on the targeted iPhones and iPads after tricking the victims into opening malicious web pages (this bug also impacts Safari 16.3.1 on macOS Big Sur and Monterey).
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple describes the zero-day. “Apple is aware of a report that this issue may have been actively exploited.”
Apple has also addressed the zero-day in iOS 15.7.4 and iPadOS 15.7.4 today with improved checks.
The list of impacted devices includes iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) devices.
First zero-day exploited in the wild patched this year
Even though Apple says it’s aware of reports that this vulnerability has been exploited in attacks, the company has yet to publish information regarding these incidents.
However, this is standard procedure for Apple when disclosing security patches for zero-days exploited in the wild.
Restricting access to technical details allows as many users as possible to secure their devices and slows down attackers’ efforts to develop and deploy additional exploits targeting vulnerable devices.
While the CVE-2023-23529 zero-day was likely only used in targeted attacks, it’s highly advised to install today’s security updates as soon as possible to block potential attack attempts targeting users of iPhone and iPad devices running older software.
In January, Apple also backported patches for a remotely exploitable zero-day flaw (reported by Clément Lecigne of Google’s Threat Analysis Group) to older iPhones and iPads.