On Thursday, Apple's updates to all of its operating systems included some new features -- but more importantly, a severe security flaw that was actively being exploited was stopped in its tracks.
Apple issues latest security patches
On Thursday, Apple released iOS 16.5, iPadOS 16.5, watchOS 9.5, macOS Ventura 13.4, and tvOS 16.5. The primary new element is a brand new "Sports" tab in the Apple News app, along with new features for Siri and the Apple TV app.
However, in addition to all that, the new software updates also include patches for potentially exploited issues, all related to WebKit. The patches are present across all the updated software, and, as such, users should make sure to update their devices as soon as possible.
Two of the three exploits were initially patched with Apple's rapid security response with the public release of iOS 16.4.1 in April. This latest update should make sure everyone is covered moving forward, even if they didn't update their devices with that particular software patch.
To update your iOS and macOS devices, open Settings --> General --> Software Update and follow the onscreen instructions. If you have Automatic Updates switched on, your devices will update the next time they are charging.
The patch notes for iOS/iPadOS are below, but the exploits are the same across all of the major releases:
WebKit
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
- Description: The issue was addressed with improved bounds checks.
WebKit Bugzilla: 255350
CVE-2023-32409: Clement Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill of Amnesty International's Security Lab
WebKit
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
- Description: An out-of-bounds read was addressed with improved input validation.
WebKit Bugzilla: 254930
CVE-2023-28204: an anonymous researcher
WebKit
- Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 254840
CVE-2023-32373: an anonymous researcher
The software updates are available to download now.