I f you have an Apple product on the list above, do an update check now. (Note that this doesn’t immunise you from security problems, given that Gecko and Blink may bring along their own additional bugs, and given that plenty of Mac software components use WebKit anyway, whether you steer clear of Safari or not.)īut on iPhones and iPads, all browsers, regardless of vendor, are required to use the operating system’s own WebKit substrate, so all of them, including Safari, are theoretically at risk when a WebKit bug shows up. If you install Firefox (which has its own browser “engine” called Gecko) or Edge (based on a underlying layer called Blink) on your Mac, those alternative browsers don’t use WebKit under the hood, and therefore won’t be vulnerable to WebKit bugs. Remember also that on Apple’s mobile devices, even non-Apple browsers such as Firefox, Chrome and Edge are compelled by Apple’s AppStore rules to stick to WebKit. Just looking at a website, which ought to be harmless, or opening an app that relies on web-based content for any of its pages (for example its splash screen or its help system), could be enough to infect your device. That’s why this sort of attack is often referred to as a drive-by download or a drive-by install. Web-based RCE exploits generally give attackers a way to lure you to a booby-trapped website that looks entirely unexceptionable and unthreatening, while implanting malware invisibly simply as a side-effect of you viewing the site.Ī web RCE typically doesn’t provoke any popups, warnings, download requests or any other visible signs that you are initiating any sort of risky behaviour, so there’s no point at which attacker needs catch you out or to trick you into taking the sort of online risk that you’d normally avoid. So, the words arbitrary code execution above really stand for remote code execution, or RCE. Remember that WebKit is a low-level operating system component that’s responsible for processing data fetched from remote web servers so that it can be displayed by Safari and many other web-based windows programmed into hundreds of other apps. The bug also receives Apple’s usual euphemism for “this is a zero-day hole that crooks are already abusing for evil ends, and you can surely imagine what those might be”, namely the words that Apple is aware of a report that this issue may have been actively exploited. This security hole is a flaw in Apple’s WebKit component that’s described as Processing maliciously crafted web content may lead to arbitrary code execution. Given that the Safari browser has been updated on the pre-previous and pre-pre-previous versions of macOS, we’re assuming that older mobile devices will eventually receive patches, too, but you’ll have to keep your eyes on Apple’s official HT201222 Security Updates portal to know if and when they come out.Īs mentioned in the headline, this is another of those “this smells like spyware or a jailbreak” issues, given that the all updates for which official documentation exists include patches for a bug denoted CVE-2023-23529. Are these security holes that will get backfilled with yet-to-be-released patches, or are they just gaps? The numbers go from 213633 to 213638 inclusive, with a gap at 213634 and gaps at 213637. We’ve never been quite sure whether this counts as a telltale of delayed updates or not, but (as we’ve seen in the past) Apple’s security bulletin numbers form an intermittent integer sequence. Oh, and tvOS gets an update, too, although Apple’s TV platform confusingly goes to tvOS 16.3.2 ( no bulletin).Īpparently, tvOS recently received a product-specific functionality fix (one listed on Apple’s security page with no information beyond the sentence This update has no published CVE entries, implying no reported security fixes) that already used up the version number 16.3.1 for Apple TVs.Īs we’ve seen before, mobile devices still using iOS 15 and iOS 12 get nothing, but whether that’s because they’re immune to this bug or simply that Apple hasn’t got round to patching them yet… Macs running Big Sur (version 11) and Monterery (12) get an update dubbed Safari 16.3.1 ( see HT213638).Macs running Ventura (version 13) go to macOS 13.2.1 ( see HT213633).Apple Watches on version 9 go to watchOS 9.3.1 ( no bulletin).iPhones and iPads on version 16 go to iOS 16.3.1 and iPadOS 16.3.1 respectively ( see HT213635). Apple has just released updates for all supported Macs, and for any mobile devices running the very latest versions of their respective operating systems.
0 Comments
Leave a Reply. |