2023-02-13
Apple Updates Include Fix for iOS Zero-day
Editor's Note
The 0-day vulnerability is part of "WebKit". WebKit is Apple's open source browser engine that is included in other browsers as well. In addition to the WebKit problem, Apple fixed a privilege escalation issue. This privilege escalation issue could be used to escape the browser sandbox and gain full system access after a executing code via the WebKit vulnerability.
Johannes Ullrich
Apple reports this is being actively exploited. Given that Apple just released 16.3 (and we’re all still getting that rolled out.) I’d treat this as a zero-day fix and pause 16.3 to push this instead.
Lee Neely
The Apple security notice is vague; however, it mentions remote code execution at the kernel level and being actively exploited in the wild. It’s not very easily understood yet how reliable or complex the exploit is to re-create, but you should patch it now as it’s actively exploited. There were a couple of reports that Google Photos was not working when the iPhones were patched, but with my own devices, that has not manifested itself. It also takes a long time for this update to go through on both MacOS and certain phones, so expect a good amount of downtime. On MacOS, something like 20-25 minutes on the most recent Intel Macbook Pro seems to be the case.
Moses Frost
Read more in
Apple: About the security content of iOS 16.3.1 and iPadOS 16.3.1
Apple: About the security content of macOS Ventura 13.2.1
Apple: About the security content of Safari 16.3.1
SANS: Apple Patches Exploited Vulnerability
Ars Technica: Apple releases iOS 16.3.1 and other updates with fix for “actively exploited” bug
TechCrunch: Apple releases new fix for iPhone zero-day exploited by hackers
Bleeping Computer: Apple fixes new WebKit zero-day exploited to hack iPhones, Macs