Apple Releases Fixes for 2 Actively Exploited Flaws in iOS, macOS, and Safari

    Apple has released iOS, iPadOS, macOS, and the Safari web browser software updates. These updates address two security flaws currently under active exploitation in older software versions.

    The WebKit web browser engine has two vulnerabilities:

    1. CVE-2023-42916: This out-of-bounds read issue can leak sensitive information when processing web content.
    2. CVE-2023-42917: This memory corruption bug might allow arbitrary code execution during web content processing.

    Apple aims to patch these reported security vulnerabilities with its latest software updates. Reports of exploiting these vulnerabilities in older iOS versions prompted Apple to release iOS 16.7.1. This update includes fixes for the WebKit flaws. Clément Lecigne from Google’s Threat Analysis Group (TAG) discovered and reported these flaws.

    Apple has not given detailed information about the ongoing exploitation of these security flaws. However, attackers have used zero-day vulnerabilities in iOS to deliver spyware against specific groups like activists, journalists, and politicians.

    It’s important to note that every third-party web browser for iOS and iPadOS uses the WebKit rendering engine. This creates a broader attack surface due to Apple’s restrictions.

    The following devices and operating systems have updates available:

    • iOS 17.1.2 and iPadOS 17.1.2: These updates support iPhone XS and, later, various iPad models.
    • macOS Sonoma 14.1.2: This update supports Macs running macOS Sonoma.
    • Safari 17.1.2: This update supports Macs running macOS Monterey and macOS Ventura.

    Apple’s recent security measures have addressed 19 actively exploited zero-days since early 2023. This follows Google’s move to fix a high-severity flaw in Chrome (CVE-2023-6345), marking the seventh zero-day the company has patched this year.

    Latest articles

    Related articles