Apple Releases Emergency Security Updates to Address Zero-Day Flaws on Older Devices

December 11, 2023

Apple has proactively released emergency security updates to provide patches for two zero-day vulnerabilities that are currently being exploited, affecting older iPhone models, as well as select Apple Watch and Apple TV devices. The company stated in security advisories published on Monday, "Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1."

The two vulnerabilities, identified as CVE-2023-42916 and CVE-2023-42917, were found within the WebKit browser engine, a technology developed by Apple and utilized across its platforms by the Safari web browser. These vulnerabilities could potentially allow attackers to gain access to sensitive information and execute arbitrary code through maliciously designed webpages that exploit out-of-bounds and memory corruption bugs on devices that have not been patched.

On the same day, Apple addressed these zero-day vulnerabilities in iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2 by enhancing input validation and locking. The company also confirmed that these bugs have now been patched on a list of devices they provided.

The discovery and reporting of both zero-day vulnerabilities were credited to Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG). While Apple has not yet offered specifics about the exploitation of these vulnerabilities in attacks, Google TAG researchers have consistently identified and disclosed details about zero-day flaws used in attacks sponsored by nation-states, targeting individuals of high-profile status, including journalists, opposition figures, and dissidents.

Last week, on December 4, the Cybersecurity and Infrastructure Security Agency (CISA) mandated Federal Civilian Executive Branch (FCEB) agencies to patch their devices against these two security vulnerabilities, following evidence of active exploitation. Since the beginning of the year, Apple has patched a total of 20 zero-day vulnerabilities that were exploited in attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.