The latest entry in Cytidel Intel Insights deals with CVE-2023-23529, a recently released vulnerability that affects all Apple Devices from Mac, iPhone, iPad even down to your Apple Watch.
In January 2022, Apple CEO, Tim Cook, shared that there are now 1.8 billion Apple devices in circulation around the world, meaning the latest entry in the Cytidel Intel Insights could affect a huge portion of the world's population.
CVE-2023-23529 was published by Apple on 13th February with very little information (as their policy is to not disclose information about vulnerabilities until they are patched). The fix was released on 14th February, the same day it was confirmed by CISA that the vulnerability was added to their Known Exploited Vulnerabilities list, meaning that this vulnerability is actively been exploited in the wild.
What Is It?
CVE-2023-23529 is a type confusion issue in WebKit, the browser engine powering the Safari browser and other web browsers running on iOS and iPadOS.
Essentially, the vulnerability can be triggered by a targeted malicious website and give a hacker code execution on your iOS device.
Why Should I Care?
In most cases, when a software vulnerability is released, the main audience for concern are businesses using that software. In this case, given the huge footprint of Mac/iPhones/iPads around the world, the potential damage could be much more widespread and not just targeted at business users.
There are websites specifically built to try and hack you using this vulnerability, so if for example you clicked on a phishing link in the next few days there's a (small) chance a hacker could get access to your iPhone or Mac.
Am I Vulnerable?
This vulnerability targets Safari WebKit, which is the main internet browser component on every iOS device in the world. If you haven't updated the software on your device since 14th February, the likelihood is that, yes, you are vulnerable to this.
What Can I Do?
Luckily, this bug has been patched on recent Macs, iPhones and iPads, so for most, it is simply a case of downloading and installing the latest iOS or MacOS update.
The latest patched version broken down by device are:
MacOS - Ventura 13.2.1
iOS - 16.3.1
iPadOS - 16.3.1
If you have a Mac running Big Sur or Monteray then you need to update Safari to v16.3.1 through the App Store to get the fix.
(To find out what version your Mac is on, see this help article from Apple.)
If you are using an iPhone 7 or older, there is no fix released yet so be extra vigilant that you don't click on phishing links in the next few days/weeks until the update is backported for those devices.