Apple has rolled out software updates across its ecosystem, including iOS, iPadOS, macOS, and Safari, to address two critical security vulnerabilities that have been actively exploited. Both vulnerabilities are located in the WebKit web browser engine and have been identified as follows:
· CVE-2023-42916: This concerns an out-of-bounds read issue, posing a threat of leaking sensitive information during the processing of web content.
· CVE-2023-42917: This relates to a memory corruption bug that could lead to arbitrary code execution during the processing of web content.
Reports of active exploitation have been acknowledged by Apple, particularly targeting versions of iOS predating the release of iOS 16.7.1 on October 10, 2023. The discovery and reporting of these vulnerabilities are credited to Clément Lecigne from Google’s Threat Analysis Group (TAG).
Although Apple has not provided detailed information about the ongoing exploitation, it’s notable that previous zero-days in iOS have been employed for deploying spyware against high-profile individuals, such as activists, dissidents, journalists, and politicians.
An important consideration is that all third-party web browsers available for iOS and iPadOS, including popular ones like Google Chrome, Mozilla Firefox, and Microsoft Edge, utilize the WebKit rendering engine due to Apple-imposed restrictions. This significantly broadens the potential attack surface, making it an attractive target for attackers.
The updates are applicable to the following devices and operating systems:
· iOS 17.1.2 and iPadOS 17.1.2: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
· macOS Sonoma 14.1.2: Macs running macOS Sonoma.
· Safari 17.1.2: Macs running macOS Monterey and macOS Ventura.
This latest release of security fixes from Apple marks the resolution of 19 actively exploited zero-days since the beginning of 2023. Notably, this comes in the wake of Google addressing a high-severity flaw in Chrome (CVE-2023-6345), which had also been subjected to real-world attacks, marking the seventh zero-day addressed by the company this year.
CyberSec84 | Cybersecurity news. 
Leave a comment