Apple has launched software program updates for iOS, iPadOS, macOS, and Safari net browser to handle two safety flaws that it mentioned have come below lively exploitation within the wild on older variations of its software program.
The vulnerabilities, each of which reside within the WebKit net browser engine, are described beneath –
- CVE-2023-42916 – An out-of-bounds learn difficulty that might be exploited to leak delicate info when processing net content material.
- CVE-2023-42917 – A reminiscence corruption bug that would lead to arbitrary code execution when processing net content material.
Apple mentioned it is conscious of reviews exploiting the shortcomings “towards variations of iOS earlier than iOS 16.7.1,” which was launched on October 10, 2023. Clément Lecigne of Google’s Menace Evaluation Group (TAG) has been credited with discovering and reporting the dual flaws.
The iPhone maker didn’t present further info concerning ongoing exploitation, however beforehand disclosed zero-days in iOS have been used to ship mercenary spyware and adware focusing on high-risk people, resembling activists, dissidents, journalists, and politicians.
It is value declaring right here that each third-party net browser that is obtainable for iOS and iPadOS, together with Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, are powered by the WebKit rendering engine because of restrictions imposed by Apple, making it a profitable and broad assault floor.
The updates can be found for the next gadgets and working techniques –
- iOS 17.1.2 and iPadOS 17.1.2 – iPhone XS and later, iPad Professional 12.9-inch 2nd era and later, iPad Professional 10.5-inch, iPad Professional 11-inch 1st era and later, iPad Air third era and later, iPad sixth era and later, and iPad mini fifth era and later
- macOS Sonoma 14.1.2 – Macs operating macOS Sonoma
- Safari 17.1.2 – Macs operating macOS Monterey and macOS Ventura
With the newest safety fixes, Apple has remediated as many as 19 actively exploited zero-days for the reason that begin of 2023. It additionally comes days after Google shipped fixes for a high-severity flaw in Chrome (CVE-2023-6345) that has additionally come below real-world assaults, making it the seventh zero-day to be patched by the corporate this 12 months.
