Security News > 2023 > May > Apple warns of three WebKit vulns under active exploitation, dozens more CVEs across its range

Apple has issued a bushel of security updates and warned that three of the flaws it's fixed are under active attack.

The three are CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all of which impact the WebKit browser engine that Apple champions and employs in its Safari browser - and demands be used by other browsers on iOS. CVE-2023-32409 means "A remote attacker may be able to break out of Web Content sandbox." Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill of Amnesty International's Security Lab found the flaw - who knew Amnesty did that?

Suffice to say that more than a billion iPhones and iPads are vulnerable to these flaws, so news that Apple thinks they're being exploited is most unwelcome.

Apple also disclosed myriad other flaws - The Register has counted 199 mentions of CVEs in the eight security advisories apple issued on May 18th. Those advisories detail problems in macOS Big Sur, Ventura, and Monterey, recent versions of which can leak information location and worse.

Go to the top of the class, Mr Wu! Apple policy is not to "Disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available".

In accordance with that stance, Apple has urged users to implement updates ASAP. News of the WebKit flaws has the potential to increase agitation for Apple to open its products to rival browser engines, and perhaps therefore to the efforts of more developers who work to improve those projects' security.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/05/19/apple_security_alerts/