Apple tackles 2 active exploits with iOS, macOS, and Safari updates

Apple tackles 2 active exploits with iOS, macOS, and Safari updates

Product and Affected Versions

  • iOS and iPadOS: Versions before 17.1.2
  • macOS Sonoma: Versions before 14.1.2
  • Safari: Versions before 17.1.2

Severity and CVE ID

  • CVE-2023-42916: Out-of-bounds read issue leading to information leakage
  • CVE-2023-42917: Memory corruption allowing arbitrary code execution

Vulnerability

These vulnerabilities are located within the WebKit browser engine, potentially allowing exploitation when processing web content.

How the Attack Works

  • CVE-2023-42916: Allows sensitive information to leak due to an out-of-bounds read issue in web content processing.
  • CVE-2023-42917: Permits arbitrary code execution through a memory corruption bug while processing web content.

Remediations

  • iOS 17.1.2 and iPadOS 17.1.2 for supported devices
  • macOS Sonoma 14.1.2 for compatible Macs
  • Safari 17.1.2 for systems running macOS Monterey and macOS Ventura

Reference

  • Clément Lecigne of Google’s Threat Analysis Group (TAG) discovered and reported these vulnerabilities.
  • Apple’s updates address 19 actively exploited zero-day vulnerabilities identified since the beginning of 2023.
  • Google recently patched a high-severity flaw (CVE-2023-6345) in Chrome, the seventh zero-day addressed by the company in the current year.