The Information Highway

The Information Highway

Font size: +
2 minutes reading time (349 words)

Apple fixes two new iOS zero-days in emergency updates

Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. 

"Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday.

The two bugs were found in the WebKit browser engine (CVE-2023-42916 and CVE-2023-42917), allowing attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices via maliciously crafted webpages. 

The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with improved input validation and locking.

The list of impacted Apple devices is quite extensive, and it includes:

  • iPhone XS and later
  • iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Monterey, Ventura, Sonoma

Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.

While Apple has not released information regarding ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

20 zero-days exploited in the wild in 2023

CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year.

Google TAG disclosed another zero-day bug (CVE-2023-42824) in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads.

Apple recently patched three more zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited by threat actors to deploy Predator spyware.

Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), fixed by Apple in September and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware. 

Windows 10 KB5032278 update adds Copilot AI assist...
Capital Health Hospitals hit by cyberattack causin...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023