Apple has released software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software.
The vulnerabilities, both of which reside in the WebKit web browser engine, are described below -
- CVE-2023-42916 - An out-of-bounds read issue that could be exploited to leak sensitive information when processing web content.
- CVE-2023-42917 - A memory corruption bug that could result in arbitrary code execution when processing web content.
Apple said it's aware of reports exploiting the shortcomings "against versions of iOS before iOS 16.7.1," which was released on October 10, 2023. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the twin flaws.
The iPhone maker did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.
It's worth pointing out here that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is powered by the WebKit rendering engine due to restrictions imposed by Apple, making it a lucrative and broad attack surface.
The updates are available for the following devices and operating systems -
- iOS 17.1.2 and iPadOS 17.1.2 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- macOS Sonoma 14.1.2 - Macs running macOS Sonoma
- Safari 17.1.2 - Macs running macOS Monterey and macOS Ventura
With the latest security fixes, Apple has remediated as many as 19 actively exploited zero-days since the start of 2023. It also comes days after Google shipped fixes for a high-severity flaw in Chrome (CVE-2023-6345) that has also come under real-world attacks, making it the seventh zero-day to be patched by the company this year.
