By Sergiu Gatlan on Thursday, 30 November 2023
Category: Technology

Apple fixes two new iOS zero-days in emergency updates

Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. 

"Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday.

The two bugs were found in the WebKit browser engine (CVE-2023-42916 and CVE-2023-42917), allowing attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices via maliciously crafted webpages. 

The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with improved input validation and locking.

The list of impacted Apple devices is quite extensive, and it includes:

Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.

While Apple has not released information regarding ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

20 zero-days exploited in the wild in 2023

CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year.

Google TAG disclosed another zero-day bug (CVE-2023-42824) in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads.

Apple recently patched three more zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited by threat actors to deploy Predator spyware.

Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), fixed by Apple in September and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware. 

Related Posts

Leave Comments