Pierluigi Paganini November 30, 2023
Apple released emergency security updates to address two zero-day vulnerabilities impacting iPhone, iPad, and Mac devices. The flaws are actively exploited in attacks in the wild, both issues reside in the WebKit browser engine.
The first vulnerability, tracked as CVE-2023-42916, is an out-of-bounds read. An attacker can trick a victim into visiting specially crafted web content to disclose sensitive information.
“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.” reads the advisory.
The company addressed the flaw with improved input validation.
The second vulnerability, tracked as CVE-2023-42917, is a memory corruption vulnerability. An attacker can trick a victim into visiting specially crafted web content to potentially execute arbitrary code on the impacted devices.
The company addressed the flaw with improved locking.
Clément Lecigne of Google’s Threat Analysis Group discovered both vulnerabilities. The fact that the issues were discovered by Google TAG suggests they were exploited by a nation-state actor or by a surveillance firm.
Apple addressed the flaws with the release of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.
The vulnerabilities impact the following devices:
The IT giant fixed 19 zero-day flaws from the start of the year.
The remaining seventeen vulnerabilities are
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)