Update Now: Apple Ships Fixes for Zero-Day Vulnerability in Macs, iPhones, iPads

pcmag.com:

It’s Patch Monday at Apple, with the company pushing out security updates for all of its platforms at once. And to judge from the release notes for its Mac, iPhone, and iPad updates, you should install these fixes as soon as possible.

The common risk addressed by updates now available for iOS 16, iPadOS 16, macOS Ventura and the current edition of Apple’s Safari (available for the preceding Big Sur and Monterey versions of macOS) is a vulnerability in the WebKit framework inside that browser. 

“Processing maliciously crafted web content may lead to arbitrary code execution,” warns the relevant part of the release notes for iOS/iPadOS 16.3.1(Opens in a new window), Safari 16.3.1(Opens in a new window), and macOS 13.2.1(Opens in a new window). “Apple is aware of a report that this issue may have been actively exploited.” 

In plainer English, that means that going to the wrong website can put malware on your machine, and an Apple customer somewhere in the world has probably learned about this the hard way. Those notes say that Apple fixed the “type confusion issue” at fault “with improved checks.”

The iPhone, iPad, and Mac patches also close a common kernel vulnerability that could let an app “execute arbitrary code with kernel privileges,” while the Mac fix addresses a bug that an app could exploit to “observe unprotected user data.” There’s no mention of those issues being actively exploited.

The software-update dialogs shown on an iPhone, iPad, or Mac are much less specific, falling back on the usual vague descriptions of “security improvements and bug fixes” (as shown for the Safari patch on a Mac mini running macOS Monterey) and “bug fixes and security updates” (on an iPad mini 6). Once again, those dialogs do not link