2023-02-13
Apple Updates Include Fix for iOS Zero-day
Editor's Note
The 0-day vulnerability is part of "WebKit". WebKit is Apple's open source browser engine that is included in other browsers as well. In addition to the WebKit problem, Apple fixed a privilege escalation issue. This privilege escalation issue could be used to escape the browser sandbox and gain full system access after a executing code via the WebKit vulnerability.
![Johannes Ullrich](https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt5fe184d7be67ebdd/6307a227847c967c7c96af6f/370x370_Johannes-Ullrich-2022.jpg)
Johannes Ullrich
Apple reports this is being actively exploited. Given that Apple just released 16.3 (and we’re all still getting that rolled out.) I’d treat this as a zero-day fix and pause 16.3 to push this instead.
![Lee Neely](https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt287a7a830c1223e8/60285112efec26565b3dc240/Lee-Neely-headshot-768x1024.png)
Lee Neely
The Apple security notice is vague; however, it mentions remote code execution at the kernel level and being actively exploited in the wild. It’s not very easily understood yet how reliable or complex the exploit is to re-create, but you should patch it now as it’s actively exploited. There were a couple of reports that Google Photos was not working when the iPhones were patched, but with my own devices, that has not manifested itself. It also takes a long time for this update to go through on both MacOS and certain phones, so expect a good amount of downtime. On MacOS, something like 20-25 minutes on the most recent Intel Macbook Pro seems to be the case.
![Moses Frost](https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt70af6b2bad2b8b98/5e9d2591c492412a1bbc1385/370x370_Moses-Frost.jpg)
Moses Frost
Read more in
Apple: About the security content of iOS 16.3.1 and iPadOS 16.3.1
Apple: About the security content of macOS Ventura 13.2.1
Apple: About the security content of Safari 16.3.1
SANS: Apple Patches Exploited Vulnerability
Ars Technica: Apple releases iOS 16.3.1 and other updates with fix for “actively exploited” bug
TechCrunch: Apple releases new fix for iPhone zero-day exploited by hackers
Bleeping Computer: Apple fixes new WebKit zero-day exploited to hack iPhones, Macs