Security News > 2023 > December > Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917)

Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917)
2023-12-01 09:23

With the latest round of security updates, Apple has fixed two zero-day WebKit vulnerabilities that "May have been exploited against versions of iOS before iOS 16.7.1.".

Both affect WebKit, the Apple-developed browser engine used by the company's Safari web browser and all web browsers on iOS and iPadOS. CVE-2023-42916 may lead to disclosure of sensitive information, while CVE-2023-42917 allows arbitrary code execution.

The vulnerabilities have been reported to Apple by security researcher Clément Lecigne, of Google's Threat Analysis Group.

As is their wont, Apple did not disclose details about the attacks in which these zero-days have been exploited, but we know that Google TAG often uncovers zero-day vulnerabilities used to deliver state-sponsored spyware to targeted individuals.

Apple says that vulnerabilities have been exploited against versions of iOS before 16.7.1, but does not say whether iOS 16.7.1 and iOS 16.7.2 are vulnerable.

If they are, Apple will likely soon push out new security updates for the iOS 16.


News URL

https://www.helpnetsecurity.com/2023/12/01/cve-2023-42916-cve-2023-42917/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-30 CVE-2023-42917 Out-of-bounds Write vulnerability in multiple products
A memory corruption vulnerability was addressed with improved locking.
network
low complexity
apple debian fedoraproject webkitgtk CWE-787
8.8
2023-11-30 CVE-2023-42916 Out-of-bounds Read vulnerability in multiple products
An out-of-bounds read was addressed with improved input validation.
network
low complexity
apple fedoraproject debian webkitgtk CWE-125
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349