Security News > 2023 > May > Apple fixes WebKit 0-days under attack (CVE-2023-28204, CVE-2023-32373, CVE-2023-32409)
Apple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that "May have been actively exploited."
The notes accompanying the updates also revealed that Apple's first Rapid Security Response update, which was pushed out earlier this month, contained fixes for two WebKit 0-days.
CVE-2023-28204 and CVE-2023-32373 can be triggered by WebKit - the browser engine that powers Safari and all web browsers on iOS and iPadOS - processing specially crafted web content.
Details about the attacks in which these last WebKit zero-days are getting exploited are also undisclosed, since Apple is famously tight-lipped when it comes to sharing those.
Fixes for the three WebKit zero-days are not present in the older macOS versions, but the Safari update has them.
The Rapid Security Response updates are also only available for the latest macOS, iOS and iPadOS versions, which is another reason why users of older versions should apply these latest updates as quickly as possible.
News URL
https://www.helpnetsecurity.com/2023/05/19/cve-2023-28204-cve-2023-32373-cve-2023-32409/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-23 | CVE-2023-32409 | Unspecified vulnerability in Apple products The issue was addressed with improved bounds checks. | 8.6 |
| 2023-06-23 | CVE-2023-32373 | Use After Free vulnerability in multiple products A use-after-free issue was addressed with improved memory management. | 8.8 |
| 2023-06-23 | CVE-2023-28204 | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read was addressed with improved input validation. | 6.5 |