Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads and Macs.

Today’s zero-day patch is tracked as CVE-2023-23529 [1, 2] and is a WebKit confusing issue that could be exploited to trigger operating system crashes and achieve code execution on compromised devices.

A successful exploit allows attackers to execute arbitrary code on devices running vulnerable iOS, iPadOS, and macOS versions after opening a malicious web page.

“The processing of maliciously crafted web content may lead to the execution of arbitrary code,” Apple said in describing Day Zero.

“Apple is aware of a report that this issue may have been actively exploited.”

Apple fixed CVE-2023-23529 with improved checks in iOS 16.3.1, iPadOS 16.3.1, and macOS Ventura 13.2.1.

The full list of affected devices is quite extensive, as the bug affects both older and newer models, and includes:

• iPhone 8 and later
• iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Mac running macOS Ventura

Today, Apple also fixed a kernel use-after-release flaw (CVE-2023-23514) reported by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero that could lead to arbitrary code with privileges of kernel on Mac and iPhone.

First zero-day patch by Apple this year

Although the company has disclosed that it is aware of reports of in-the-wild exploitation, it has yet to release any information regarding these attacks.

By restricting access to this information, Apple likely wants to allow as many users as possible to update their devices before more attackers discover zero-day details to develop and deploy their own custom exploits targeting iPhones. iPad and Mac vulnerable.

Although this zero-day bug was likely only used in targeted attacks, it is strongly recommended that you install today’s emergency updates as soon as possible to block potential attack attempts.

Last month, Apple also backported Security patches for a remotely exploitable zero-day flaw discovered by Clément Lecigne of Google’s Threat Analysis Group on older iPhones and iPads.