On 13 February Apple released update 13.2.1 for MacOS and 16.3.1 for iOS and iPadOS to address several vulnerabilities, one of which is being actively exploited. All three updates address CVE-2023-23514, a vulnerability in the kernel that may allow an application to execute arbitrary code (ACE) with kernel privileges, and CVE-2023-23529, a flaw in WebKit currently exploited to allow crafted web content to achieve ACE. Additionally, the MacOS update addresses CVE-2023-23522, a vulnerability that enables temporary files to violate user privacy. Apple has elected to not disclose details surrounding the WebKit vulnerability aside from their awareness of active exploitation.
Companies are highly encouraged to patch as soon as their change management procedures allow. It’s possible that threat actors using this exploit currently will ramp up deployment in an effort to compromise devices before they get patched. Additionally, analysts should look for suspicious processes and activity stemming from Safari, pending further information from Apple about the specifics of the exploit, as far back as their logging allows.