Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[Zero-Day] Urgent Apple Updates

Executive Summary

Apple has recently addressed two critical zero-day vulnerabilities, CVE-2023-42916 and CVE-2023-42917, through urgent security updates.

These vulnerabilities, exploited actively by hackers, pose a significant threat to a variety of Apple devices. The flaws allow attackers to execute arbitrary code and access sensitive data, primarily through malicious web pages exploiting a memory corruption bug.

Apple did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.

Apple urges all users of affected devices to apply these security patches urgently.

Addressed Apple Zero-Days
CVE-2023-42916: Out-of-Bounds Read

This vulnerability involves an out-of-bounds read issue in the WebKit web browser engine. Exploitation could lead to the leakage of sensitive information when processing web content. Users of iOS versions before 16.7.1 are particularly vulnerable.

Apple has provided improved input validation to mitigate this issue.

CVE-2023-42917: Memory Corruption Bug

The second vulnerability is a memory corruption bug in WebKit, enabling attackers to execute arbitrary code when processing web content. Exploitation of this flaw has been reported on iOS versions before 16.7.1. Apple has addressed this issue with improved locking mechanisms.

Please note that CVSS scores for these new vulnerabilities are not available yet at the time of writing this article.

Affected Products

The following Apple devices and operating systems are impacted by the addressed vulnerabilities:

  • iPhone XS and later
  • iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Monterey, Ventura, Sonoma

Please see Apple’s security advisories for detailed information about the vulnerabilities and their fixes:

Recommendations

Apple strongly advises users of affected devices to update their software immediately.

The update process can be initiated by navigating to ‘Settings’ > ‘General’ > ‘Software Update’ for iPhone and iPad users.

For macOS users, click on the Apple menu, go to System Settings, select General, and then click on Software Update.

Enabling automatic updates is recommended for seamless reception of Rapid Security Response patches.

Security experts emphasize the importance of regularly updating software to the latest versions and exercising caution when encountering suspicious web pages or downloads.

Other Apple Zero-Days in 2023

In addition to the highlighted vulnerabilities, Apple has remediated 19 actively exploited zero-days in 2023.

Recent examples include CVE-2023-5217 in October, CVE-2023-41993, CVE-2023-41991, CVE-2023-41992, CVE-2023-41064 and CVE-2023-41061 in September.

Please also refer to our previous articles for more information about the recent Apple zero-days:

This underscores the evolving challenges in cybersecurity and the need for users to stay vigilant, keeping their devices updated with the latest security patches.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.