CVE-2023-38594 - How a WebKit Bug Let Hackers Run Code On Your Apple Device — And How It Was Fixed

CVE-2023-38594 drew a lot of attention in 2023 as a critical vulnerability in Apple’s WebKit engine. It affected nearly every Apple device you can think of: iPhones, iPads, Macs, Apple Watch, even Apple TV. If you clicked on a malicious web page, hackers could potentially run any code they wanted on your device — all without you knowing. But what exactly went wrong, and how did Apple close the door on this dangerous bug? In this post, I’ll break down what happened, show some code snippets, give you the original references, and explain the exploit in an easy way.

What Is CVE-2023-38594?

In simple terms, CVE-2023-38594 is a security hole in WebKit, which is the engine behind Safari and other browsers and apps that display web content on Apple devices. Because WebKit has access to lots of private data and code execution rights, exploiting it is pretty much a hacker’s dream come true.

The Threat: Arbitrary Code Execution

When this vulnerability is exploited, it means that a bad actor could get your device to run code of their choosing just by having you visit a rogue website. That could lead to stolen data, ransomware, surveillance, or even a completely compromised system.

Root Cause: A logic flaw in WebKit’s code that processes web content.

- Exploit Vector: By crafting malicious web content (think: a special website), an attacker could cause WebKit to do something it shouldn’t, opening the door to arbitrary code execution.
- Mitigation: Apple patched the issue by improving checks — basically, the code now pays closer attention when handling risky situations.

Let’s imagine a simplified example

// Hypothetical vulnerable function in WebKit
void processContent(UserContent* content) {
    // ... some code ...
    if (content->isValid()) {
        // Assume safe, go ahead
        execute(content->getData());
    }
    // ... other code ...
}

What if content->isValid() doesn’t actually check *everything*? An attacker could sneak malicious data through, causing execute() to run harmful code.

Apple’s Fix: Apple went in and made sure those “valid” checks actually covered all the bases, so no bad content could get through:

void processContent(UserContent* content) {
    // Improved checks
    if (content->isSafe() && content->isValid()) {
        execute(content->getTrustedData());
    }
}

Remember: the actual WebKit code is far more complex, but this gives you the flavor — it’s all about better validating inputs before trusting them.

Exploit Details (What an Attacker Could Do)

Let’s say you visited a website designed to take advantage of this bug. Behind the scenes, that site might trigger a memory corruption bug or a logic error in WebKit.

Here’s a (simplified) example of malicious JavaScript an attacker might try to use

// Example: Flaw could let this run native code
let spray = [];
for (let i = ; i < 100000; i++) {
    spray.push(new ArrayBuffer(1024)); // "Heap spraying"
}
// then trigger the bug to overwrite some pointer
triggerVulnerability(spray);

By carefully controlling memory and the execution path, the attacker could hijack a critical function pointer, and then jump to their own code — which could download malware, steal data, anything.

Victim’s Experience: The scary thing? The victim might just see a normal-looking site — but in the background, their phone/uploaded data/family photos could be gone.

Who Was Affected?

Pretty much *everyone* using Apple products before mid-2023. Here’s the list of affected (and fixed!) software versions:

watchOS 9.6

So if you hadn’t updated your device to these versions or later, you were at risk.

How Was It Fixed?

Apple’s security note says, simply:

“The issue was addressed with improved checks.”

Under the hood, this means Apple’s engineers found the logic error, beefed up input validation in WebKit, and rolled out patched versions of all affected software.

No more mysterious code running just because you visited a website!

Original References

- Apple Security Updates: About the security content of iOS 16.6 and iPadOS 16.6 (July 2023)
- Apple Security Updates: About the security content of Safari 16.6 (July 2023)
- Apple Security Updates index
- NIST CVE entry for CVE-2023-38594

Stay Wary: Even top brands have bugs. Never delay security updates.

- Trust But Verify: Safari, Chrome, Firefox — all browsers have bugs. Accept updates when they show up.

TL;DR

CVE-2023-38594 was a dangerous WebKit bug that let bad websites run code on your iPhone, Mac, or other Apple device. Apple fixed it fast in iOS 15.7.8, iOS 16.6, macOS Ventura 13.5, and more by tightening up their code checks. Always update your devices — it can be the difference between safety and a major headache.

Have questions or want to know more about how these exploits work? Drop them below! Stay safe online.

Timeline

Published on: 07/27/2023 00:15:15 UTC
Last modified on: 08/18/2023 03:15:20 UTC