On 18th March, tech giant Apple rolled out emergency patches for their iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser platforms to protect your Apple devices from the three 0-day WebKit vulnerabilities in iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browsers. According to security researchers, These WebKit vulnerabilities actively being exploited in the wild allow advisories to carry out arbitrary code execution, breach the Web Content sandbox, and sensitive information discloser attacks on vulnerable Apple devices. Apple didn’t disclose the technical details of the flaws to avoid further exploitation of the vulnerabilities. Let’s explore what Apple has shared about the three 0-Day WebKit vulnerabilities in this post.
A Short Introduction About Webkit and Web Content Sandbox
WebKit is an open-source web browser engine that is used by a variety of popular browsers, including Apple’s Safari, and formerly by Google’s Chrome until it was forked into the Blink engine in 2013.
WebKit was originally created by Apple Inc. for its Safari browser, and the name “WebKit” comes from the “khtml” and “kjs” libraries from the KDE project, which were the base technologies that WebKit was built upon.
WebKit is composed of several key components:
- WebCore: This is the core rendering engine, which is responsible for parsing HTML and CSS, constructing the Document Object Model (DOM), and rendering the web page on the screen. WebCore is derived from the KHTML library, which was developed by the KDE project.
- WebKit API: This layer provides a set of interfaces for embedding WebKit into other applications. It handles browser-like functionality such as loading pages, managing history, and handling user input.
One of the major goals of WebKit is to be fast, efficient, and easy to embed into a variety of applications. It supports a wide range of web standards, including HTML5, CSS3, SVG, and others.
The WebKit project is a collaborative effort, with contributions from a number of companies and individuals. It is licensed under the GNU Lesser General Public License (LGPL), which means that anyone is free to use, modify, and distribute it.
The Identified Three 0-Day WebKit Vulnerabilities in Apple Devices
The three security vulnerabilities that have been identified are as follows:
The WebKit Flaw: This vulnerability identified as CVE-2023-32409 is steamed from WebKit. that could potentially be exploited by a malicious actor. This flaw could allow an attacker to break out of the Web Content sandbox, a security feature that isolates web content from the rest of the system. In response, the WebKit team has implemented improved bounds checks, effectively strengthening the sandbox against such breaches.
The second vulnerability, CVE-2023-28204, is an out-of-bounds read issue within WebKit. This flaw could be abused to disclose sensitive information during the processing of web content. To address this, the WebKit team has enhanced input validation, thereby reducing the potential for sensitive data exposure.
The third identified vulnerability, CVE-2023-32373, is a use-after-free bug within WebKit. This bug could potentially lead to arbitrary code execution when processing maliciously crafted web content. To rectify this, the WebKit team has improved memory management, significantly reducing the risk of arbitrary code execution.
Note: the CVE-2023-32409 vulnerability is reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. The other two vulnerabilities are reported by an anonymous researcher.
Apple Devices Vulnerable to These Three 0-Day WebKit Vulnerabilities
These vulnerabilities affect most likely every Apple devices which run these below versions.
- iOS and iPadOS are less than 16.5
- macOS Ventura less than 13.4
- tvOS version less than 16.5
- watchOS less than 9.5
- Safari version less than 16.5
How to Protect Your Apple Devices From The Three 0-Day WebKit Vulnerabilities?
Apple released emergency patches in that it says it has released iOS 16.5, iPadOS 16.5 macOS Ventura 13.4, and Safari 16.5, watchOS 9.5, and safari 16.5 to fix the flaw. We recommend all users of iPhones, iPad, and MacBooks, Apple Watch, and Apple TV should upgrade their OS to the latest release. Please visit the Apple security updates page to read information about all the recently released security updates.
Versions patched these three 0-day WebKit vulnerabilities are:
|Name and information link||Available for||Release date|
|Safari 16.5||macOS Big Sur and macOS Monterey||18 May 2023|
|watchOS 9.5||Apple Watch Series 4 and later||18 May 2023|
|tvOS 16.5||Apple TV 4K (all models) and Apple TV HD||18 May 2023|
|iOS 16.5 and iPadOS 16.5||iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later||18 May 2023|
|iOS 15.7.6 and iPadOS 15.7.6||iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)||18 May 2023|
|macOS Big Sur 11.7.7||macOS Big Sur||18 May 2023|
|macOS Ventura 13.4||macOS Ventura||18 May 2023|
|macOS Monterey 12.6.6||macOS Monterey||18 May 2023|
Follow these steps to check for updates on your devices:
- iOS and iPadOS: Go to Settings > General > Software Update.
- macOS: Open System Preferences > Software Update.
- Safari: Updates for Safari are usually included in macOS updates. However, you can also check for Safari updates in the App Store.
- watchOS: Pair your Apple Watch to your iPhone, open Watch App on your iPhone, Go to General > Software Update.