Jump to content
  • Apple fixes two new iOS [and iPadOS and MacOS] zero-days in emergency updates

    Karlston

    • 486 views
    • 3 minutes
     Share


    • 486 views
    • 3 minutes

    Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year.

     

    "Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday.

     

    The two bugs were found in the WebKit browser engine (CVE-2023-42916 and CVE-2023-42917), allowing attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices via maliciously crafted webpages.

     

    The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with improved input validation and locking.

     

    The list of impacted Apple devices is quite extensive, and it includes:

     

    • iPhone XS and later
    • iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
    • Macs running macOS Monterey, Ventura, Sonoma

     

    Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.

     

    While Apple has not released information regarding ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

    20 zero-days exploited in the wild in 2023

    CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year.

     

    Google TAG disclosed another zero-day bug (CVE-2023-42824) in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads.

     

    Apple recently patched three more zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited by threat actors to deploy Predator spyware.

     

    Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), fixed by Apple in September and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware.

     

    Since the start of the year, Apple has also patched:

     

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...