On February 13th, 2023, Apple released iOS 16.3.1 and iPadOS 16.3.1, which include security updates to address vulnerabilities in the operating systems. These updates are available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
The first vulnerability addressed in these updates is related to the kernel of the operating system. An app may be able to execute arbitrary code with kernel privileges due to a use-after-free issue. This vulnerability was fixed with improved memory management.
The CVE-ID for this issue is CVE-2023-23514, and it was discovered by Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero.
The second vulnerability addressed in iOS 16.3.1 and iPadOS 16.3.1 is related to the WebKit, the browser engine used by Safari. Processing maliciously crafted web content may lead to arbitrary code execution, and Apple is aware of a report that this issue may have been actively exploited.
The vulnerability was fixed by addressing a type confusion issue with improved checks. The CVE-ID for this issue is CVE-2023-23529, and it was discovered by an anonymous researcher. The WebKit Bugzilla ID for this issue is 251944.
As a reminder, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.
For more information about security, customers can visit the Apple Product Security page. It is always recommended that users keep their devices up to date with the latest software to ensure the highest level of security.