CVE-2023-32435 - Dive Into The WebKit Memory Corruption Vulnerability Affecting Apple Devices

In March 2023, Apple patched a serious security flaw known as CVE-2023-32435. This bug, hidden deep inside the WebKit engine (the technology driving Safari and many web apps on Apple devices), allowed malicious web content to potentially execute arbitrary code—meaning attackers could run any commands they wanted on a target’s iPhone, iPad, or Mac just by getting them to visit a malicious site.

In this article, let’s break down what CVE-2023-32435 is, how it works, and what you should do to stay safe. We’ll use simple terms, include accessible code snippets to illustrate the issue, and share references and further reading at the end.

What is CVE-2023-32435?

This CVE refers to a memory corruption vulnerability in WebKit. Memory corruption happens when a program mismanages how it stores temporary data in memory. Attackers can craft inputs (like a specially-crafted website) that trigger the bug, causing the program to behave in unsafe ways—including running malicious code.

Apple’s description

> “A memory corruption issue was addressed with improved state management. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.”

What Does “Arbitrary Code Execution” Mean?

If attackers can trick your browser into running their code, they can bypass security controls. This can lead to:

How Did the Bug Work?

Apple did not disclose exact technical details, but security researchers (see Google’s Threat Analysis Group write-up) and patch notes suggest the flaw was in how WebKit handled state management when processing certain web content. When these situations arose, WebKit could write or read memory out of bounds—corrupting data it shouldn’t have access to.

Simplified Example: Out-of-Bounds Write

Suppose a JavaScript object is used in the browser’s engine and mishandled in memory. Here’s a very simplified way to think about it in JavaScript:

let arr = [1, 2, 3];
arr.length = 100; // Artificially extend the array
arr[99] = 'exploit'; // Write far past the original array

// A vulnerable engine might fail to manage this extended state properly,
// potentially reading or writing data it shouldn't.

With certain vulnerabilities, attackers escalate this to arbitrary code execution by corrupting function pointers, or manipulating objects expected by the engine.

A Real-World Exploit Scenario

Security research by Amnesty International found attackers using this bug to compromise phones through “zero-click” attacks: just visiting a malicious web page could infect a device.

User visits the site, triggering the browser to process malicious web content.

3. The browser hits the bug and the attacker’s code runs, possibly installing spyware without the user’s knowledge.

Exploit Details and Proof of Concept

Due to the sensitivity of this bug and real attacks, public proof-of-concept code is hard to find. However, Project Zero detailed a fuzzing technique to trigger the issue, focusing on *typed arrays* and *state mismanagement*. Here’s an *abstract* code outline:

// This is *not* a working exploit, but shows the area where memory bugs happen:
function triggerMemoryCorruption() {
    // Try to confuse WebKit's engine with object allocation and garbage collection
    let arr = new Uint32Array(100);
    // Using type confusion, the engine may lose track of arr's boundaries
    // Attacker attempts to write outside arr's bounds
    arr[150] = x41414141; // Out-of-bounds write
    // From here, attacker can seek to overwrite vital structures
}

This kind of error can allow for arbitrary read or write in memory, a stepping stone to running attacker-controlled code.

Apple quickly released security patches for all affected operating systems

- iOS 16.4 and iPadOS 16.4
  - iOS 15.7.7 and iPadOS 15.7.7
  - macOS Ventura 13.3
  - Safari 16.4

Don’t Ignore Updates

Setting your device to automatically check and install updates will protect you from future similar issues.

More Reading & References

- Apple Security Update for CVE-2023-32435
- Apple About the Security Content
- Google Project Zero Blog: In-the-Wild WebKit -Day
- Amnesty International: Pegasus Spyware

Conclusion

CVE-2023-32435 is a serious bug in WebKit that put millions at risk. Apple moved quickly, but attackers may have already used the flaw in the wild. The lesson? Keep your software updated and stay alert. If you want to learn more about vulnerabilities like it, check out the links above for deep-dives by the world’s top security researchers. Stay safe online!

Timeline

Published on: 06/23/2023 18:15:00 UTC
Last modified on: 07/27/2023 04:15:00 UTC