Apple has released security updates to backport fixes released last month, fixing an actively exploited zero-day bug for older iPhones and iPads.

The vulnerability (CVE-2023-23529) is a confusing WebKit-like issue that the company fixed on new iPhone and iPad devices on February 13, 2023.

Potential attackers can use it to trigger operating system crashes and obtain code execution on compromised iOS and iPadOS devices after a successful exploit.

Threat actors can then execute arbitrary code on targeted iPhones and iPads after tricking victims into opening malicious web pages (this bug also impacts Safari 16.3.1 on macOS Big Sur and Monterey).

“The processing of maliciously crafted web content may lead to the execution of arbitrary code. Apple is aware of one report that this issue may have been actively exploited,” Apple describes in the zero-day case. “Apple is aware of a report that this issue may have been actively exploited.”

Apple also hit day zero in iOS 15.7.4 and iPadOS 15.7.4 today with improved controls.

The list of affected devices includes iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation) and iPod touch (7th generation).

First zero-day exploited in the wild patched this year

Although Apple says it is aware of reports that this vulnerability has been exploited in attacks, the company has not yet released information regarding these incidents.

However, this is standard procedure for Apple when disclosing wildly exploited zero-day security patches.

Restricting access to technical details allows more users to secure their devices and slows attackers’ efforts to develop and deploy additional exploits targeting vulnerable devices.

Although zero-day CVE-2023-23529 has likely only been used in targeted attacks, you are strongly advised to install today’s security updates as soon as possible to block hacking attempts. potential attacks targeting users of iPhone and iPad devices running older software.

In January, Apple also backported patches for a remotely exploitable zero-day flaw (reported by Clément Lecigne of Google’s Threat Analysis Group) on older iPhones and iPads.