Apple splats zero-day bug, other gremlins in macOS, iOS

Apple this week released bug-splatting updates to its operating systems and Safari browser, to fix a zero-day vulnerability in its WebKit browser engine that's reported to have been actively exploited.

Updates macOS 13.2.1, iOS 16.3.1, iPadOS 16.3.1, and Safari 16.3.1 fix the flaw, tracked as CVE-2023-23529, which may allow maliciously crafted web content to execute arbitrary code. It's described by Apple as a type confusion flaw fixed by improved checks.

The issue had to do with JsonWebToken code that accepted asymmetric encryption keys not associated with a specific algorithm through the jwt.verify() function. For example, DSA keys could be used with the RS256 algorithm. This evidently permitted signature verification with insecure key types.

Apple's advisory says the company "is aware of a report that this issue may have been actively exploited." It credits an anonymous researcher for reporting the bug and its iOS advisory also acknowledges "the Citizen Lab at The University of Toronto’s Munk School for their assistance."

Citizen Lab has a history of documenting vulnerabilities in Apple software that have been exploited by government authorities using commercial spyware like NSO Group's Pegasus.

• That critical vulnerability might not be the first you should patch
• Time from vulnerability disclosures to exploits is shrinking
• 'What are the odds someone will find and exploit this?' Nice one — you just released an insecure app
• Psst, hackers. Just go for the known vulnerabilities

Apple did not immediately respond on the record to a request to comment about whether this zero-day is being exploited by commercial spyware customers. However we suspect the anonymous researcher cited may not be related to Citizen Lab.

Apple's patches also address two other vulnerabilities.

CVE-2023-23514, reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero, affects the macOS, iOS, and iPad OS kernel (and likely the tvOS and watchOS kernels, too). It's a use after free memory error that has the potential to allow arbitrary code execution with kernel privileges. Essentially, an app or some other running program can use this to take over the device.

A third CVE, CVE-2023-23522, was reported by Wenchao Li and Xiaolong Bai of Alibaba Group. Less severe than the others, this bug in macOS Ventura potentially allowed an app to observe unprotected user data.

Apple provides few details about its fix beyond noting that it addressed the privacy issue in the Shortcuts component by improving how the operating system handles temporary files.

This appears to be the first zero-day fix Apple has issued for current model devices this year. In January, Apple backported a fix from last year for a WebKit flaw under active exploitation to iPhone 5 and similarly outdated devices running iOS 12.5.

Patches for tvOS 16.3.2 and watchOS 9.3.1 were also released but Apple had yet to document them at the time this story was written. ®