CVE-2023-41993

What is Apple WebKit?

WebKit is Apple's browser engine — it powers Safari on all Apple platforms and, by Apple policy, is mandatory for all browsers distributed on iOS and iPadOS. Any app that displays web content on iPhone or iPad uses WebKit. Because WebKit processes untrusted content (web pages, attachments, links) and runs with network-accessible attack surface, vulnerabilities in it are the primary entry point for remote code execution attacks against Apple devices. A WebKit bug that can be triggered without user interaction (zero-click) is among the most dangerous classes of mobile vulnerability.

Overview

CVE-2023-41993 is a WebKit vulnerability that allows processing maliciously crafted web content to lead to arbitrary code execution. It is the initial entry point of the BLASTPASS exploit chain — a zero-click iMessage attack attributed to NSO Group's Pegasus spyware that was captured in the wild by Citizen Lab in September 2023. The attack delivered malicious PassKit image attachments via iMessage, triggering WebKit to process them without the victim tapping or interacting with the message.

Affected Versions

Technical Details

Apple classifies CVE-2023-41993 as improper handling of exceptional conditions (CWE-754) in WebKit. The vulnerability is triggered when WebKit processes maliciously crafted web content — in the BLASTPASS attack, this was PassKit (.pkpass) wallet attachment files delivered via iMessage.

iMessage automatically renders certain rich attachment types (including PassKit passes) to show previews, which causes WebKit to parse the attachment content without any user interaction. The crafted content triggers the WebKit vulnerability, achieving code execution within the WebKit renderer process. This is the "zero-click" entry point:

1. Attacker sends iMessage containing a malicious PassKit attachment to the target.
2. iMessage automatically processes the PassKit file to generate a preview, triggering WebKit.
3. CVE-2023-41993 fires, achieving renderer process code execution.
4. The chain then uses CVE-2023-41991 and CVE-2023-41992 to escalate to full kernel privileges and install Pegasus persistently.

The CVSS score of 8.8 reflects network-accessible delivery with required user interaction — however, the "user interaction" in this case is simply receiving an iMessage, not taking any affirmative action.

Discovery

Bill Marczak of The Citizen Lab and Maddie Stone of Google's Project Zero discovered and analyzed the BLASTPASS chain after Citizen Lab identified the exploit on a device belonging to a civil society organization employee, captured on September 7, 2023.

Exploitation Context

BLASTPASS represents the state of the art in mobile targeted surveillance: a fully zero-click, no-interaction-required attack chain capable of compromising a fully patched iPhone. It was attributed to NSO Group and their Pegasus platform, which is marketed to government clients. Citizen Lab has documented Pegasus being used against journalists in Mexico and Azerbaijan, human rights lawyers, political opposition members, and civil society organizations globally.

The fact that Citizen Lab captured this exploit in active use demonstrates that such capabilities are deployed against real targets, not just held in reserve. Apple's response — emergency patches shipped within two weeks across all iOS/iPadOS/macOS/watchOS branches — reflects the severity of the threat.

Remediation

1. Update immediately: iOS 17.0.1, iOS 16.7, iPadOS 17.0.1, iPadOS 16.7, macOS Ventura 13.6 (with Safari 16.6.1).
2. Enable Lockdown Mode on all Apple devices belonging to journalists, lawyers, activists, government officials, and others at risk of targeted surveillance — Lockdown Mode restricts iMessage link previews and PassKit handling, directly blocking this class of attack.
3. Stay current on all Apple platform updates — zero-click chains are repaired quickly once discovered, but only for users who apply updates.
4. For organizations managing devices: enforce iOS version compliance via MDM and auto-enrollment; any iOS device more than one patch cycle behind should be treated as potentially compromised.
5. If targeted attack is suspected: use the Mobile Verification Toolkit (MVT) for forensic analysis, or contact Citizen Lab's Access Now Digital Security Helpline.