Modern web browsers are complicated, which opens them up to more potential security issues. Apple has now released updates to fix a bug in Safari that allowed web pages to run code on the device.
Apple just released system updates for iPhone, iPad, and Mac, all of which include a fix for a bug in Safari’s webkit engine. The updates have version numbers of iOS 16.4.1, iPadOS 16.4.1, and macOS Ventura 13.3.1, respectively. Apple has not disclosed details about the security vulnerability, except that it allows “malicious web content” to execute arbitrary code on the device as if it were running a native app.
Unfortunately, this is also a zero-day vulnerability: Apple says it is “aware of a report that this issue may have been actively exploited.” For Mac computers that are not updated to Ventura, Safari 16.4.1 will roll out to macOS Big Sur and Monterey with the same fix.
Updates for macOS Ventura, iOS 16, and iPadOS 16 also include a fix for another security vulnerability in IOSurfaceAccelerator, a system framework. This defect allows the execution of arbitrary code with the same features as the kernel code. Apple says that that flaw may also be in use in the wild.
You can download new OS updates from the Settings app on your iPhone, iPad, or Mac. Maybe one of these days, Apple will figure out how to update Safari without a full OS update.
Source: Apple (iOS/iPadOS, macOS, Safari)