On Monday, February 13, Apple released fixes for multiple products, including iOS, macOS, Safari, iPadOS, tvOS, and watchOS. Updates for iOS and iPadOS 16.3.1 and macOS 13.2.1 an actively-exploited arbitrary code execution flaw in WebKit/Safari.
- The 0-day vulnerability is part of “WebKit”. WebKit is Apple’s open source browser engine that is included in other browsers as well. In addition to the WebKit problem, Apple fixed a privilege escalation issue. This privilege escalation issue could be used to escape the browser sandbox and gain full system access after a executing code via the WebKit vulnerability.
- Apple reports this is being actively exploited. Given that Apple just released 16.3 (and we’re all still getting that rolled out.) I’d treat this as a zero-day fix and pause 16.3 to push this instead.
- The Apple security notice is vague; however, it mentions remote code execution at the kernel level and being actively exploited in the wild. It’s not very easily understood yet how reliable or complex the exploit is to re-create, but you should patch it now as it’s actively exploited. There were a couple of reports that Google Photos was not working when the iPhones were patched, but with my own devices, that has not manifested itself. It also takes a long time for this update to go through on both MacOS and certain phones, so expect a good amount of downtime. On MacOS, something like 20-25 minutes on the most recent Intel Macbook Pro seems to be the case.