Web browsers are complex applications and need to be constantly patched to keep malicious web pages from breaking out of their sandbox. Apple is now rolling out a fix for a Safari that addresses a critical security vulnerability.
Apple is now rolling out iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and updates for other platforms that address a handful of security problems. The iPhone, iPad, and Mac updates all include fixes for Safari’s engine (WebKit) and the operating system kernel, while the macOS update has an additional security fix for Shortcuts.
The WebKit engine update fixes a bug where improper use of a certain JavaScript library (jsonwebtoken) could allow remote code execution on the host device. Apple said it is “aware of a report that this issue may have been actively exploited,” meaning it may be used on some web pages. It was originally reported with the identifier CVE-2022-23529, but it has been officially withdrawn, as the National Vulnerability Database does not classify it as a software vulnerability.
The iOS and iPadOS updates also fixed a bug that allowed apps to execute arbitrary code with kernel-level privileges, which was discovered by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero. The macOS update addresses an additional vulnerability that allowed apps to “observe unprotected user data” through Shortcuts, which apparently doesn’t affect other platforms.
It’s a good idea to update your iPhone, iPad, and Mac as soon as possible to have the latest security patches. Apple is also rolling out Safari 16.3.1 to macOS Big Sur and macOS Monterey, for computers that haven’t been updated to Ventura yet (or are too old to run the latest release). You’re vulnerable even if you don’t use Safari itself — all web browsers on iPhone and iPad use Safari’s WebKit engine, and many Mac apps use the built-in rendering engine for displaying web content.
