Executive Summary
Apple has recently addressed two critical zero-day vulnerabilities, CVE-2023-42916 and CVE-2023-42917, through urgent security updates.
These vulnerabilities, exploited actively by hackers, pose a significant threat to a variety of Apple devices. The flaws allow attackers to execute arbitrary code and access sensitive data, primarily through malicious web pages exploiting a memory corruption bug.
Apple did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to deliver mercenary spyware targeting high-risk individuals, such as activists, dissidents, journalists, and politicians.
Apple urges all users of affected devices to apply these security patches urgently.
Addressed Apple Zero-Days
CVE-2023-42916: Out-of-Bounds Read
This vulnerability involves an out-of-bounds read issue in the WebKit web browser engine. Exploitation could lead to the leakage of sensitive information when processing web content. Users of iOS versions before 16.7.1 are particularly vulnerable.
Apple has provided improved input validation to mitigate this issue.
CVE-2023-42917: Memory Corruption Bug
The second vulnerability is a memory corruption bug in WebKit, enabling attackers to execute arbitrary code when processing web content. Exploitation of this flaw has been reported on iOS versions before 16.7.1. Apple has addressed this issue with improved locking mechanisms.
Please note that CVSS scores for these new vulnerabilities are not available yet at the time of writing this article.
Affected Products
The following Apple devices and operating systems are impacted by the addressed vulnerabilities:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- Macs running macOS Monterey, Ventura, Sonoma
Please see Apple’s security advisories for detailed information about the vulnerabilities and their fixes:
Recommendations
Apple strongly advises users of affected devices to update their software immediately.
The update process can be initiated by navigating to ‘Settings’ > ‘General’ > ‘Software Update’ for iPhone and iPad users.
For macOS users, click on the Apple menu, go to System Settings, select General, and then click on Software Update.
Enabling automatic updates is recommended for seamless reception of Rapid Security Response patches.
Security experts emphasize the importance of regularly updating software to the latest versions and exercising caution when encountering suspicious web pages or downloads.
Other Apple Zero-Days in 2023
In addition to the highlighted vulnerabilities, Apple has remediated 19 actively exploited zero-days in 2023.
Recent examples include CVE-2023-5217 in October, CVE-2023-41993, CVE-2023-41991, CVE-2023-41992, CVE-2023-41064 and CVE-2023-41061 in September.
Please also refer to our previous articles for more information about the recent Apple zero-days:
- [CVSS 8+] Apple Patches Exploited Vulnerabilities Again
- Update Now: 3 Exploited Apple Zero-Days
- Zero-Day Vulnerabilities in iOS and iPadOS
This underscores the evolving challenges in cybersecurity and the need for users to stay vigilant, keeping their devices updated with the latest security patches.
- European Commission Investigates Meta Subscription Model and Consent
- [CVSS 9+] Another Exploited Ivanti Vulnerability Following Zero-Days
- [CVSS 9+] Critical Cisco Vulnerability: Patch now!
- U.S. Court Mandates NSO Group to Surrender Pegasus Spyware
- UK Law Enforcement Closed LabHost, a Phishing Service Provider
- Mental Health Company Pays $7M for Not Safeguarding Data