CVE CyberSecurity Database News

CVE-2023-38595 - How a WebKit Bug Could Let Attackers Run Code on Your Apple Devices

Poster -

Apple products are famous for their security, but sometimes, even the world’s biggest tech companies slip up. In this long read, we’ll break down CVE-2023-38595—a critical WebKit vulnerability patched by Apple in July 2023. We’ll walk through what happened, how an attacker could have exploited it, and how it was eventually fixed. If you’re interested in the guts of browser security or just want to know if your iPhone or Mac is at risk, you’re in the right place.

What is CVE-2023-38595?

CVE-2023-38595 refers to a security bug in WebKit, the browser engine powering Safari and many parts of the Apple ecosystem. In technical terms, the issue allowed malicious web content to trigger arbitrary code execution on your device—meaning an attacker could potentially run whatever code they wanted, just by tricking you into visiting a harmful webpage.

Apple officially described it as

> "Processing web content may lead to arbitrary code execution. The issue was addressed with improved checks."

watchOS 9.6

Full release notes:  
➡️ Apple Security Updates

Where Did the Problem Come From?

WebKit is the heart of Safari and many web-based features in other Apple apps. A single coding error can open the door wide to attackers. CVE-2023-38595 involved a failure to properly check objects or data loaded from the web, leading to memory corruption. This allowed attackers to inject harmful code that the browser could execute—usually code that would give them control over your device.

Here’s a *conceptual* version of what this might look like in code

// A simplified pseudo-code example of a vulnerable pattern
void processWebContent(Content* content) {
    if (content->isTrusted()) {
        // Assume this content is always safe - a risky assumption
        execute(content->payload());
    }
}

An attacker could craft a web page to trick the browser’s isTrusted() check, delivering their malicious payload() that then gets executed.

The fix? Apple added improved (stricter and more thorough) checks to make sure malicious content can’t bypass the trust evaluation.

Send phishing emails or messages luring users to visit the site.

3. When you visit the webpage, it triggers the flaw, causing your browser (or other WebKit-powered app) to execute the attacker’s code.

Exploit Details (in Simple Terms)

While Apple does not share full exploit details, similar WebKit bugs often involve techniques like use-after-free or type confusion, which are technical ways of saying "the browser got confused about how a piece of memory was supposed to be used."

A simplified proof-of-concept attack (not the actual exploit, but a pattern)

// Malicious JavaScript (hypothetical example)
let craftedObject = { /* Tricky stuff here */ };
webView.loadContent(craftedObject);

// The browser processes craftedObject in a way
// that causes memory corruption and code execution.

In the real world: Attackers usually write custom JavaScript that abuses the browser’s handling of certain complicated web features (like SVG files, CSS animations, or complex HTML), trying to trick the internal check so their malicious instructions get run.

How Was It Fixed?

Apple patched the code by adding improved checks—basically, adding more thorough verification to make sure no untrusted code or data slips through. This is like double-checking someone’s ID before letting them backstage at a concert, even if they look familiar.

Here’s a pseudo-example of what “improved checks” might look like

void processWebContent(Content* content) {
    if (content == nullptr) return; // New check!
    if (!content->isTrusted()) return; // Only allow trusted content
    // No more assumptions!
    execute(content->payload());
}

Now, even if a website tries to trick the browser, it won’t make it past the stricter filters.

If you’re using any Apple device, make sure you’re running

- iOS/iPadOS 16.6 or later

watchOS 9.6 or later

To check your Apple device version:  
Go to *Settings* → *General* → *Software Update*.

If it offers an update, download and install it right away. These browser-based attacks can happen silently, without you knowing.

Additional Reading & References

- Apple CVE-2023-38595 Security Update
- NVD - CVE-2023-38595 Entry
- WebKit Security Blog
- What is Arbitrary Code Execution? (OWASP)

Bottom Line

CVE-2023-38595 was a big deal: it’s a classic example of how even small bugs can have a huge impact in software trusted by billions of people. The safest thing you can do is keep your devices updated and be wary of suspicious links. With every patch, your Apple device is one step closer to being bulletproof.

If you have any questions, check the references above and always update your devices as soon as you can!

Timeline

Published on: 07/27/2023 01:15:37 UTC
Last modified on: 08/18/2023 03:15:21 UTC