US Agency Urges Deployment Of Apple’s Updates For iPhones, Macs
A federal cybersecurity agency says that a vulnerability in iOS and macOS, now patched by Apple, can be exploited to ‘take control of an affected device.’
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Tuesday it’s encouraging the deployment of Apple updates “as soon as possible” for a vulnerability affecting iPhones, Macs and iPads.
On Monday, Apple released iOS 16.3.1, iPadOS 16.3.1 and macOS Ventura 13.2.1 in response to the discovery of the zero day WebKit vulnerability, which is being tracked at CVE-2023-23529. The vulnerability “may have been actively exploited,” Apple said.
[Related: Zero Trust Security’s New Pitfall To Avoid: Over-Investing]
In an advisory Tuesday, CISA drew attention to the issue by noting that “an attacker could exploit these vulnerabilities to take control of an affected device.”
In its notes on the WebKit vulnerability, Apple said that it’s “aware of a report that this issue may have been actively exploited.”
The flaw affects iPhone models as far back as iPhone 8, Macs running macOS Ventura and numerous iPad models.
CISA said it’s urging administrators and users to review the information posted by Apple and “apply the necessary updates as soon as possible.”
The vulnerability has been characterized as a type confusion issue, which was addressed through “improved checks,” Apple said. It was discovered by an anonymous researcher, according to the company.
The security fixes also address a kernel vulnerability (CVE-2023-23514) in iOS, iPadOS and macOS Ventura that was discovered by researchers at Google Project Zero, and a shortcuts vulnerability (CVE-2023-23522) in macOS Ventura.
In its postings, Apple added that it “would like to acknowledge The Citizen Lab at The University of Toronto’s Munk School for their assistance,” though didn’t specify which issue or issues The Citizen Lab had assisted with.
The organization has been active in uncovering and publicizing vulnerabilities that can be utilized in surveillance activities, and is well-known for exposing spyware makers such as NSO Group.