A zero-day vulnerability has been identified in some versions of iOS, iPadsOS, macOS, and Safari. Apple have confirmed they are aware of reports of this vulnerability being actively exploited in the wild. Emergency security updates have been released this week to patch this vulnerability as soon as possible across all affected devices. Apple publish all security updates online through their support page, where details of the latest software can be found.  

The vulnerability tracked as CVE-2023-23529 exists in the WebKit of the affected OS and Safari. Not a lot of details have been released about this vulnerability by Apple, to allow time for users to apply these new security patches before more information is released about potential exploits. At the time of publishing the CVE details have not been fully released, so the severity of this flaw is unknown, however as an exploit is believed to be active in the wild it is likely of a high or critical severity. This zero-day is a type confusion vulnerability, which is a logical error that can lead to out of bounds memory access. If an attacker wants to exploit this flaw, they first need to craft malicious web content, which through the type-confusion can lead to code execution on the target device. Apple have fixed this issue in the new updates by issuing improved checks. 

To best protect your devices from this actively exploited vulnerability users should apply the security patch by upgrading to a fixed version of the relevant application or OS as soon as possible. Users of iPhone 8 and later, iPad Pro, iPad Air 3rd Gen, iPad 5th Gen, and iPad mini 5th Gen, and later models, should update their devices to the fixed versions iOS 16.3.1 and iPadOS 16.3.1. MacOS Ventura users need to update to macOS Ventura 13.2.1, whereas macOS Big Sur and macOS Monterey users only need to update their version of Safari to Safari 16.3.1.