Apple has released security updates to counter the exploitation of various WebKit vulnerabilities. Named CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, these insidious vulnerabilities target WebKit, the browser engine Apple champions in its Safari browser.
Apple requires other browsers operating within the iOS ecosystem to abide by WebKit’s rules.
CVE-2023-32409 allows a remote attacker to escape the Web Content sandbox, with the discovery credited to the diligent efforts of Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
What the other errors do
CVE-2023-28204 concerns the disclosure of sensitive information during the processing of web content, while CVE-2023-32373 enables remote code execution through maliciously crafted web pages.
iPhones from the eighth generation, all iPad Pros, the iPad Airs from the third generation, the iPads from the fifth generation and even the small iPad minis from the fifth generation are all affected by this group of vulnerabilities.
At the time of writing, detailed information and severity scores on these recently disclosed CVEs are not yet available. Nevertheless, the reality remains stark and disturbing: More than a billion iPhones and iPads are exposed and vulnerable, casting a shadow of doubt on Apple’s once-lauded claims of security invincibility.
The argument for more competition
While Apple maintains its policy of not disclosing, discussing, or confirming security vulnerabilities until a proper investigation has been conducted and patches or releases are available, the urgency of the situation necessitates rapid action.
The disclosure of these WebKit vulnerabilities could fuel developer discontent and reinforce calls for Apple’s ports to be opened to competing browser engines. Such a move would invite more developers to enrich these projects and strengthen their security measures.
Apple is reportedly moving closer to allowing multiple engines, if only to appease regulators. Many critics argue for more competition within Apple’s domain.
Read also: Apple unveils Rapid Security Response update