Apple has released security updates to counter the exploitation of various WebKit vulnerabilities. Named CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, these vulnerabilities target WebKit, the browser engine Apple champions in its Safari browser. Other browsers operating within the iOS ecosystem must abide by WebKit’s rules.
CVE-2023-32409 allows a remote attacker to escape the Web Content sandbox. The discovery was credited to Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. CVE-2023-28204 concerns the disclosure of sensitive information during the processing of web content, while CVE-2023-32373 enables remote code execution through maliciously crafted web pages.
Devices affected by these vulnerabilities include iPhones from the eighth generation, all iPad Pros, the iPad Airs from the third generation, the iPads from the fifth generation, and the iPad minis from the fifth generation.
The disclosure of these WebKit vulnerabilities has prompted calls for Apple to allow more competition within its domain. Such a move would invite more developers to enrich these projects and strengthen their security measures. Apple is reportedly moving closer to allowing multiple engines, possibly to appease regulators.
Apple has not disclosed, discussed, or confirmed security vulnerabilities until a proper investigation has been conducted and patches or releases are available. Nevertheless, more than a billion iPhones and iPads are exposed and vulnerable, casting a shadow of doubt on Apple’s once-lauded claims of security invincibility.
