Apple has released emergency security updates to address two zero-day vulnerabilities that could be exploited by attackers to gain access to sensitive information or execute arbitrary code on affected devices. These vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, reside in the WebKit browser engine, which is used by Safari and other web browsers on Apple devices.
As per the advisory “Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1”. The discovery of these vulnerabilities can be credited to the vigilance and expertise of Clément Lecigne from Google’s Threat Analysis Group (TAG).
Vulnerability Details
- CVE-2023-42916: An out-of-bounds read vulnerability could allow attackers to read sensitive information from the affected device’s memory.
- CVE-2023-42917: A memory corruption vulnerability could allow attackers to execute arbitrary code on the affected device.
The following Apple devices are affected by these vulnerabilities:
- iPhone: iPhone XS and later
- iPad: iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- Mac: Macs running macOS Monterey, Ventura, or Sonoma
Apple has released security updates for iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 that address these vulnerabilities. Users are strongly encouraged to install these updates as soon as possible.
