Product and Affected Versions
- iOS and iPadOS: Versions before 17.1.2
- macOS Sonoma: Versions before 14.1.2
- Safari: Versions before 17.1.2
Severity and CVE ID
- CVE-2023-42916: Out-of-bounds read issue leading to information leakage
- CVE-2023-42917: Memory corruption allowing arbitrary code execution
Vulnerability
These vulnerabilities are located within the WebKit browser engine, potentially allowing exploitation when processing web content.
How the Attack Works
- CVE-2023-42916: Allows sensitive information to leak due to an out-of-bounds read issue in web content processing.
- CVE-2023-42917: Permits arbitrary code execution through a memory corruption bug while processing web content.
Remediations
- iOS 17.1.2 and iPadOS 17.1.2 for supported devices
- macOS Sonoma 14.1.2 for compatible Macs
- Safari 17.1.2 for systems running macOS Monterey and macOS Ventura
Reference
- Clément Lecigne of Google’s Threat Analysis Group (TAG) discovered and reported these vulnerabilities.
- Apple’s updates address 19 actively exploited zero-day vulnerabilities identified since the beginning of 2023.
- Google recently patched a high-severity flaw (CVE-2023-6345) in Chrome, the seventh zero-day addressed by the company in the current year.
