Happy belated Patch Tuesday from Cupertino: Apple has issued security updates for almost every piece of code it slings – including a fix for a vulnerability in older iOS devices the iGiant believes is under attack right now.
The actively exploited flaw, which is now patched on iOS and iPadOS 15, is in the WebKit engine: CVE-2023-23529 is a type confusion issue that could allow malicious web content to execute arbitrary code on vulnerable devices. “Apple is aware of a report that this issue may have been actively exploited,” Cupertino commented.
That means those vulnerable iPhones and iPads could be hijacked by malicious webpages on the internet, a hole someone has been abusing, so update your stuff as soon as you can. The fix is available for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
Patches were also published this week for separate flaws Apple’s Studio Display firmware, and Safari 16.4 on macOS Big Sur and Monterey, plus separate security patches for macOSes Big Sur and Monterey and Ventura, iOS 16.4, WatchOS 9.4, and tvOS 16.4.
Suffice it to say, if you own an Apple product it’s a good idea to get these updates installed ASAP. That said, Apple users are usually better than most about being fully patched since there’s only a single manufacturer to push out updates, compared to the more fractured Android landscape.
WebKit vuln needs an urgent patch
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) logged the WebKit type confusion flaw in its Known Exploited Vulnerabilities Catalog on February 14, a day after Apple patched the issue in macOS Ventura, Safari 16 on macOSes Big Sur and Monterey, and iOS 16. Crucially, back then, Apple knew the WebKit hole was under active attack.
In its entry for the exploit, the National Institute of Standards and Technology gave it a CVSS severity rating of 8.8 out of 10, which is quite high. This raises the question of why Apple decided to wait more than a month before providing this update to the previous version of iOS, which was superseded by iOS 16 in September of last year.
We asked Apple for an explanation as to why it left 20 percent of iPhones and more than a quarter of the iPads in circulation without a critical security patch for an active exploit for over a month, and didn’t receive an answer.
One answer may lie in January’s patch bundle from Apple, which included a fix for a similar WebKit flaw which was also under active attack for iOS 12 users. Occam’s (sometimes inaccurate) Razor would suggest the two cases may be linked.
As we noted in 2021 when iOS 15 was released, Apple told users it would make updating their devices to the latest version of iOS an optional decision – at least for some time.
“You can update to the latest version of iOS 15 as soon as it’s released for the latest features and most complete set of security updates. Or continue on iOS 14 and still get important security updates until you’re ready to upgrade to the next major version,” Apple said in the iOS 15 release notes.
Apple later backtracked and forced users to update to iOS 15 in January 2022. Apple made similar upgrade concessions for users running iOS 15 whose devices are iOS 16 compatible, though in January it changed its tune on the 15/16 split, and is only issuing security updates for iOS 15 on devices that don’t support iOS 16, which is reflected in the iOS 15 patch notes issued yesterday. In other words, if your Apple device can run the latest OS, Cupertino really wants you on it.
Only iPhone 6s, iPhone 7, 1st gen iPhone SE, iPad Air 2, 4th gen iPad mini and 7th generation iPod touch are eligible to install iOS 15.7.4; if that’s you, patch now, otherwise it’s time to finally upgrade. ®