Security News > 2023 > May > Apple warns of three WebKit vulns under active exploitation, dozens more CVEs across its range

Apple warns of three WebKit vulns under active exploitation, dozens more CVEs across its range
2023-05-19 02:59

Apple has issued a bushel of security updates and warned that three of the flaws it's fixed are under active attack.

The three are CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all of which impact the WebKit browser engine that Apple champions and employs in its Safari browser - and demands be used by other browsers on iOS. CVE-2023-32409 means "A remote attacker may be able to break out of Web Content sandbox." Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill of Amnesty International's Security Lab found the flaw - who knew Amnesty did that?

Suffice to say that more than a billion iPhones and iPads are vulnerable to these flaws, so news that Apple thinks they're being exploited is most unwelcome.

Apple also disclosed myriad other flaws - The Register has counted 199 mentions of CVEs in the eight security advisories apple issued on May 18th. Those advisories detail problems in macOS Big Sur, Ventura, and Monterey, recent versions of which can leak information location and worse.

Go to the top of the class, Mr Wu! Apple policy is not to "Disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available".

In accordance with that stance, Apple has urged users to implement updates ASAP. News of the WebKit flaws has the potential to increase agitation for Apple to open its products to rival browser engines, and perhaps therefore to the efforts of more developers who work to improve those projects' security.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/05/19/apple_security_alerts/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-23 CVE-2023-32409 Unspecified vulnerability in Apple products
The issue was addressed with improved bounds checks.
network
low complexity
apple
8.6
2023-06-23 CVE-2023-32373 Use After Free vulnerability in multiple products
A use-after-free issue was addressed with improved memory management.
network
low complexity
apple redhat webkitgtk CWE-416
8.8
2023-06-23 CVE-2023-28204 Out-of-bounds Read vulnerability in multiple products
An out-of-bounds read was addressed with improved input validation.
network
low complexity
apple webkitgtk CWE-125
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349
Webkit 2 0 1 6 0 7