Apple has released software updates for iOS, iPadOS, macOS, and the Safari web browser to address two security flaws it says are under active wild exploitation in older versions of its software.
The vulnerabilities, both of which reside in the WebKit web browser engine, are described below –
- CVE-2023-42916 – An out-of-bounds read issue that can be exploited to leak sensitive information when processing web content.
- CVE-2023-42917 – A memory corruption bug that could result in arbitrary code execution when processing web content.
Apple said it was aware of reports exploiting the flaws “against versions of iOS prior to iOS 16.7.1,” released on October 10, 2023. Clément Lecigne of the Threat Analysis Group (TAG ) of Google is credited with discovering and reporting the twin errors.
The iPhone maker did not provide more information about the ongoing exploit, but the previously disclosed iOS zero-days were used to deliver mercenary spyware targeting people at risk, such as activists, dissidents, journalists, and politicians.
It is worth pointing out here that every third-party web browser available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, among others, runs on the WebKit rendering engine due to restrictions imposed by Apple. , making it a lucrative and wide-ranging attack surface.
Updates are available for the following devices and operating systems –
- iOS 17.1.2 and iPadOS 17.1.2 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- macOS Sonoma 14.1.2 – Macs running macOS Sonoma
- Safari 17.1.2 – Macs running macOS Monterey and macOS Ventura
With the latest security fixes, Apple has fixed up to 19 active exploit zero-days since the start of 2023. This also comes days after Google sent out the fixes for a serious flaw in Chrome (CVE-2023-6345) that has also been subject to real-world attacks, making it the seventh zero-day patched by the company this year.