March Vuln of the Month: CVE-2023-23529

If you’re a Mac shop, it’s time to put down that March Madness bracket and shift your attention toward an Apple WebKit vulnerability that’s scoring high in all the wrong ways. March’s Vuln of the Month is CVE-2023-23529, a type confusion vulnerability that, properly exploited, could result in an attacker remotely executing code on a MacOS system or iOS device. 

All a user need do is be lured into interacting with maliciously coded web content, and the type confusion vuln is triggered. A successful attack could compromise that device with its own payload of malicious code. 

Our research shows that CVE-2023-23529 meets many of the criteria we look for to be exploited, including:

• Access complexity: Low 
• Potential attack surface: Global 
• Exploitable remotely: Yes 
• Authentication/privilege requirements: None 
• Potential impact on availability: High 
• Exploit code published: No 
• Active exploits observed: Yes 

CVE-2023-23529 earns a Kenna Risk Score of 93. Fewer than 1% of CVEs earn a higher score. Earlier, we had observed a CVSS 3.x score of 10.0, the highest score CVSS gives to vulns, with sub scores of 10 given to accessibility, confidentiality, and impact. That CVSS score has settled a tad and is now at 8.8 (High).  

Why CVE-2022-23529 matters 

WebKit is the rendering engine that drives Apple’s Safari browser—the default browser on virtually all Apple devices. (It also powers applications on other platforms, including Windows and Android, but this vuln appears limited to Apple platforms.) No one wants someone else to execute code on their device, which on its own makes this a risky vulnerability. But in corporate BYOD environments, a compromised device could potentially have a more widespread impact.  

Apple has been characteristically tight-lipped about the nature of the reported exploit, though some researchers suggest the vuln could have been exploited to spy on users. It’s impossible to know, but given the global footprint of Apple devices and the fact that users must update their systems to a fixed version of their OS, there’s a reason this vulnerability has a higher risk profile than 99% of them out there. 

Although we have not seen any public exploit code or exploit attempts against this vuln, CISA has added CVE-2023-23529 to its known exploit vulnerability list. 

Bottom line 

Given that threat actors can exploit this vulnerability with no authentication required simply by phishing users into downloading the wrong code, combined with its broad footprint across popular Apple desktop and mobile devices—and its proven exploitability—this vuln is worth fixing now.  

Mitigation status 

Apple has released updates that patch this vuln in iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1. Owners of iPhones, iPads, and iPad minis should check for available updates and upgrade their devices as soon as possible. Users of older devices (e.g., iPhone 7 and older) may have a wait ahead of them. MacOS Ventura users need to update to their OS as well. (Some updates fix other security issues as well, so time spent updating is time well spent.) 

Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.