child holding two apples for its eyes

Update now! Apple fixes actively exploited vulnerability and introduces new features

Apple has released security updates for several products. Most notably one of the updates fixes an actively exploited vulnerability in the WebKit component of iOS 15.7.4 and iPadOS 15.7.4 that was fixed earlier in macOS Ventura 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.

You can find the specific security content for the devices you’re interested in by following the links below:

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerability is listed as CVE-2023-23529: a type confusion issue that Apple says has been addressed with improved checks.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. So let’s say you have a program that expects a number as input, but instead it receives a string (i.e. a sequence of characters), if the program doesn’t properly check that the input is actually a number and tries to perform arithmetic operations on it as if it were a number, it may produce unexpected results which could be abused by an attacker.

Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this could allow attackers to execute arbitrary code on a vulnerable device. So, an attacker would have to trick a victim into visiting a malicious website or open such a page in one of the apps that use WebKit to render their pages.

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

There are some other vulnerabilities that make it worth checking if you need to update. The latest iPhone update alone fixes 33 vulnerabilities, some of them could lead to arbitrary code execution. But none of the other fixed vulnerabilities were flagged as having been used in real life attacks.

For iOS 16.4 users that don’t consider security their first priority, you may be convinced to update by looking at all the new features that were introduced in iOS 16.4. Apparently Apple also found it more important to notify me on my iPad about the number of new emojis (21) first.

screenshot of available update for iPadOS 16.4

“This update introduces 21 new emoji and includes other enhancements, bug fixes, and security updates for your iPad.”


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.