"Apple Patches Actively Exploited WebKit Zero-Day Vulnerability"

Apple recently announced the release of updates for macOS, iOS, and Safari, and they all include a WebKit patch for a new zero-day vulnerability tracked as CVE-2023-23529.  The zero-day, described as a type confusion issue, can be exploited for arbitrary code execution by getting the targeted user to access a malicious website.  Apple noted that an anonymous researcher has been credited for reporting CVE-2023-23529 and that no information has been made public on the attacks exploiting the vulnerability.  In addition to the zero-day, Apple’s latest macOS update, Ventura 13.2.1, patches a code execution issue in the kernel (CVE-2023-23514) reported by researchers at Google Project Zero and Pangu Lab, as well as a shortcuts-related flaw that can expose user data (CVE-2023-23522), reported by researchers of the Alibaba Group.  Apple did not mention any reports of exploitation associated with these two vulnerabilities.  The iOS and iPadOS 16.3.1 updates also fix the CVE-2023-23514 kernel issue in addition to the zero-day.  Apple noted that the latest Safari update, version 16.3.1, only fixes the zero-day flaw.

SecurityWeek reports: "Apple Patches Actively Exploited WebKit Zero-Day Vulnerability"