CVE-2023-32445: Apple Safari and Webkit Improved Checks to Prevent Cross Site Scripting Attacks

Apple has recently addressed CVE-2023-32445, a security vulnerability initially discovered within Safari 16.6, watchOS 9.6, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, and macOS Ventura 13.5. This vulnerability had the potential to expose users’ sensitive information via a cross-site scripting (XSS) attack.

CVE-2023-32445 Vulnerability Details

Before the latest updates, a maliciously crafted document (such as an HTML file) could exploit the vulnerability, leading to a cross-site scripting attack. This specific flaw allowed attackers to execute unauthorized JavaScript code in the context of the victim's browser, potentially revealing sensitive information like authentication cookies or hijacking a user's session.

Apple has provided patches for affected products, including Safari 16.6, watchOS 9.6, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, iOS 16.6 and iPadOS 16.6, and macOS Ventura 13.5. The fix is implemented by improving checks within the affected software, preventing documents from being able to cause a cross-site scripting attack.

The following code snippet demonstrates a simple example of a cross-site scripting attack

<html>
<head>
  <title>CVE-2023-32445 Exploit Example</title>
</head>
<body>
  <h1>Search for a book:</h1>
  <input type="text" id="search" onkeyup="searchBooks()" />
  <script>
    function searchBooks() {
      var searchTerm = document.getElementById('search').value;
      var url = "https://example.com/books?q="; + encodeURIComponent(searchTerm);

      // Perform a search request and update the page with search results
      fetch(url).then(/* ... */);
    }
  </script>
</body>
</html>

In the example above, the malicious code might have been injected into the searchTerm input field, executing unauthorized JavaScript code within the victim's browser. The improved checks introduced by Apple now prevent this type of attack from being successful.

References and Original Sources

Apple has published security advisories with information on the updates addressing this issue for the different affected products:

- Safari 16.6: Safari 166
- watchOS 9.6: watchOS 9.6
- iOS 15.7.8 and iPadOS 15.7.8: iOS 15.7.8 and iPadOS 15.7.8
- tvOS 16.6: tvOS 16.6
- macOS Ventura 13.5: macOS Ventura 13.5

The National Vulnerability Database (NVD) from NIST also contains additional information on CVE-2023-32445:

- CVE-2023-32445

Conclusion

Users of affected versions of Safari, watchOS, iOS, iPadOS, tvOS, and macOS are urged to update their software to the latest versions with improved checks to prevent cross-site scripting attacks. Utilizing the patches and following best security practices, users can protect their sensitive data from this and similar vulnerabilities.

Timeline

Published on: 07/28/2023 05:15:10 UTC
Last modified on: 08/03/2023 17:02:11 UTC