Apple released emergency security updates to fix two actively exploited zero-day flaws impacting iPhone, iPad, and Mac devices.
Apple released emergency security updates to address two zero-day vulnerabilities impacting iPhone, iPad, and Mac devices. The flaws are actively exploited in attacks in the wild, both issues reside in the WebKit browser engine.
The first vulnerability, tracked as CVE-2023-42916, is an out-of-bounds read. An attacker can trick a victim into visiting specially crafted web content to disclose sensitive information.
“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.” reads the advisory.
The company addressed the flaw with improved input validation.
The second vulnerability, tracked as CVE-2023-42917, is a memory corruption vulnerability. An attacker can trick a victim into visiting specially crafted web content to potentially execute arbitrary code on the impacted devices.
The company addressed the flaw with improved locking.
Clément Lecigne of Google’s Threat Analysis Group discovered both vulnerabilities. The fact that the issues were discovered by Google TAG suggests they were exploited by a nation-state actor or by a surveillance firm.
Apple addressed the flaws with the release of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.
The vulnerabilities impact the following devices:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- Macs running macOS Monterey, Ventura, Sonoma
The IT giant fixed 19 zero-day flaws from the start of the year.
The remaining seventeen vulnerabilities are
- October 2023 – CVE-2023-5217.
- September 2023 – CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992.
- September 2023 – CVE-2023-41064 and CVE-2023-41061.
- July 2023 – CVE-2023-37450 and CVE-2023-38606.
- June 2023 – CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439.
- May 2023 – CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
- April 2023 – CVE-2023-28206 and CVE-2023-28205.
- February 2023 – CVE-2023-23529.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)