Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and affecting iPhone, iPad, and Mac devices.
Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and affecting iPhone, iPad, and Mac devices.
With the latest security fixes, Apple has remediated as many as 20 actively exploited zero-days since the start of the year.
The two vulnerabilities were found in the WebKit browser engine CVE-2023-42916 and CVE-2023-42917. Allows attackers to access sensitive information through an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices. The attackers can exploit these vulnerabilities using maliciously crafted web pages.
The updates are available for the following devices and operating systems.
- iOS 17.1.2 and iPadOS 17.1.2 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
- macOS Sonoma 14.1.2 - Macs running macOS Sonoma.
- Safari 17.1.2 - Macs running macOS Monterey and macOS Ventura.
Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), identified and reported both zero-days. While Apple has not disclosed information about ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.
CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year. Google TAG disclosed another zero-day bug, CVE-2023-42824, in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads.
Apple recently patched three more zero-day bugs, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, reported by Citizen Lab and Google TAG researchers. Threat actors exploited these vulnerabilities to deploy Predator spyware.
Citizen Lab disclosed two other zero-days, CVE-2023-41061 and CVE-2023-41064, which were fixed by Apple in September and were used as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware. Since the year's start, Apple has also patched several other vulnerabilities.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?