Apple has released an emergency security update that fixes a zero-day exploited vulnerability (CVE-2023-23529) in iOS, Safari, and macOS, under attack in the wild.
A remote attacker could exploit the vulnerability to take control of unpatched systems.
iOS 16.3.1 and iPadOS 16.3.1
The Apple iOS WebKit vulnerability CVE-2023-23529 could allow the processing of maliciously crafted web content and lead to arbitrary code execution. WebKit is Apple’s HTML rendering software and is part of Apple’s browser engine.
As noted in the advisory, Apple warned the “issue may have been actively exploited.”
The zero-day and another Kernel vulnerability CVE-2023-23514 was fixed in iOS 16.3.1 and iPadOS 16.3.1.
The updates are available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Safari 16.3.1 and macOS 13.2.1
Apple also fixed the same zero-day CVE-2023-23529 in Safari 16.3.1, available for macOS Big Sur and macOS Monterey.
Moreover, Apple released an update for macOS Ventura 13.2.1 that also patched the exploited flaw CVE-2023-23529, along with two other vulnerabilities.
Additional updates for tvOS 16.3.2 and watchOS 9.3.1 were also published with more details to be released soon.