Apple on Monday released a flurry of small updates that might not seem very important. There are no new features, a few minor fixes, and barely any release notes to speak of. But if you haven’t installed them on your devices, you should go update them right now.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A type confusion issue was addressed with improved checks.
- WebKit Bugzilla: 251944/CVE-2023-23529: an anonymous researcher
Apple hasn’t released specifics about how the flaw may have been exploited. It’s the first zero-day flaw fixed this year.
The patch is for iPhone 8 and later, iPad Air (3rd gen) and later, iPad (5th gen) and later, and iPad mini (5th gen) and later, MacBook Pro (2017 and later), MacBook Air (2018 and later), MacBook (2017 and later), iMac (2017 and later), Mac mini (2018 and later), and Mac Studio. There’s also a Safari 16.3.1 for Macs running macOS Big Sur and Monterey.
Apple also released updates for tvOS 16.3.2 and watchOS 9.3.1, but hasn’t yet published the CVE entries. It’s not clear whether there’s an update coming for iOS 15 devices as well.
CalDigit Thunderbolt Station 4 (TS4)
In addition to the WebKit patch, the iOS, iPadOS, and macOS updates also include a fix for a “use after free” issue that could allow an app to execute arbitrary code with kernel privileges.
To update your device, go to the Settings app on your iPhone or iPad, or System Settings on macOS Ventura Macs, then General and Software Update. To update Safari on macOS Big Sur or Monterey, go to System Preferences then Software Update, click the box next to the Safari 16.3.1 update, and then select Install Now.