Apple Fixes 3 Zero-Days Exploited in the WildVulnerabilities Exist in Apple-Mandated WebKit Browser Engine
Apple is patching actively exploited zero-day flaws in its browser rendering engine for mobile devices, and one cybersecurity firm says the vulnerabilities are likely evidence of takeover attacks.
The smartphone giant released patches for an out-of-bounds flaw read tracked as CVE-2023-28204 and a use-after-free vulnerability tracked as CVE-2023-32373.
Both flaws were the subject of Apple's first-ever Rapid Security Response on May 1 - security updates Apple says are meant to address pressing vulnerabilities that shouldn't wait for a full iOS update.
"Generally speaking, when two zero-days of this sort show up at the same time in WebKit, it's a good bet that they've been combined by criminals to create a two-step takeover attack," wrote Sophos security proselytizer Paul Ducklin on Friday. WebKit is Apple's mandatory engine for web browsers operating on iOS, including for apps that allow in-app web browsing.
Ducklin told Information Security Media Group he can't say for certain whether attackers chained together the two zero-days, but some indicators suggest they did. The flaws were disclosed by an anonymous researcher and were treated with urgency by Apple. "It smells like they were reported at exactly the same time and they were patched, for those lucky enough to get the rapid responses, at exactly the same time, in an emergency."
Operating systems defend against corrupt memory flaws such as CVE-2023-32373 by randomly assigning memory addresses, meaning that an attacker might not be able to do more with such a flaw than crash an affected program. But the out-of-bounds read flaw CVE-2023-28204 could reveal secrets about the memory layout inside a program and making it easier to take over, Ducklin said.
"There are a lot of secrets in memory about how memory is structured," he said. If the flaw did allow attackers to extract memory addresses, that would make the out-of-bounds CVE-2023-28204 flaw a reliable way to launch an attack, he added.
Apple also patched a third WebKit vulnerability tracked as CVE-2023-32409 that allows remote attackers to break out if the Web Content sandbox.
"We don't know if the third zero-day was connected with the other two," he said. If it was, then the three zero-days combined would be the equivalent of a home run to an attacker. The first bug could reveal memory addressing secrets needed to exploit the second bug reliably while the second bug could allow code to be implanted to exploit the third.
Software developers have criticized Apple's requirement that all iOS web rendering use WebKit. At least three dozen developers in 2022 formed an advocacy organization criticizing it as buggy and anti-competitive since it pushes developers into the App Store and away from web apps.
Supporters of WebKit say it avoids users having to download multiple libraries and lets Apple control web engine security.
Apple isn't giving consumers a choice to switch browsers if they think one is safer than another, Ducklin said. Any other browser that's not Apple Safari on the iOS is essentially a reskinned version of Safari. "I think a lot of people assume that they have this other company's browser, and of course they don't. They're not getting away from any bugs in Safari," he added.