Security News > 2023 > December > Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917)
With the latest round of security updates, Apple has fixed two zero-day WebKit vulnerabilities that "May have been exploited against versions of iOS before iOS 16.7.1.".
Both affect WebKit, the Apple-developed browser engine used by the company's Safari web browser and all web browsers on iOS and iPadOS. CVE-2023-42916 may lead to disclosure of sensitive information, while CVE-2023-42917 allows arbitrary code execution.
The vulnerabilities have been reported to Apple by security researcher Clément Lecigne, of Google's Threat Analysis Group.
As is their wont, Apple did not disclose details about the attacks in which these zero-days have been exploited, but we know that Google TAG often uncovers zero-day vulnerabilities used to deliver state-sponsored spyware to targeted individuals.
Apple says that vulnerabilities have been exploited against versions of iOS before 16.7.1, but does not say whether iOS 16.7.1 and iOS 16.7.2 are vulnerable.
If they are, Apple will likely soon push out new security updates for the iOS 16.
News URL
https://www.helpnetsecurity.com/2023/12/01/cve-2023-42916-cve-2023-42917/
Related news
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-11-30 | CVE-2023-42917 | Out-of-bounds Write vulnerability in multiple products A memory corruption vulnerability was addressed with improved locking. | 8.8 |
2023-11-30 | CVE-2023-42916 | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read was addressed with improved input validation. | 6.5 |