Apple Rushes to Patch Two Zero-Day Vulnerabilities in Emergency Updates

November 30, 2023

Apple has rushed out emergency security patches to rectify two zero-day vulnerabilities that have been exploited in attacks. The vulnerabilities affect a range of devices including iPhones, iPads, and Macs. This action takes the count of zero-days patched by the tech giant since the year's start to 20. The company issued an advisory on Wednesday, acknowledging reports that these issues may have been exploited against earlier versions of iOS.

The two vulnerabilities were discovered in the WebKit browser engine, identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities potentially allow attackers to access sensitive information through an out-of-bounds read weakness and execute arbitrary code via a memory corruption bug on vulnerable devices. The attackers can exploit these vulnerabilities using maliciously crafted webpages.

Apple has addressed these security flaws in devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2, by improving input validation and locking. The list of Apple devices impacted by these vulnerabilities is extensive.

Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), identified and reported both zero-days. While Apple has not disclosed any information about ongoing exploitation in the wild, Google TAG researchers have frequently discovered and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

The two vulnerabilities, CVE-2023-42916 and CVE-2023-42917, are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple has fixed this year. Google TAG disclosed another zero-day bug, CVE-2023-42824, in the XNU kernel, which enables attackers to escalate privileges on vulnerable iPhones and iPads.

Apple recently patched three more zero-day bugs, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, reported by Citizen Lab and Google TAG researchers. These vulnerabilities were exploited by threat actors to deploy Predator spyware. Additionally, Citizen Lab disclosed two other zero-days, CVE-2023-41061 and CVE-2023-41064, which were fixed by Apple in September and were used as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware. Since the year's start, Apple has also patched a number of other vulnerabilities.

Related News

• Apple Rolls Out iOS/iPadOS 16.7.1 to Address Zero-Day Vulnerability
• The High Stakes Market for WhatsApp Zero-Day Exploits
• Apple's Emergency Security Update Targets Newly Discovered Zero-Day Vulnerabilities
• Israeli Spyware Vendor Intellexa Exploits Rare iOS and Chrome Zero-Days to Target Egyptian Entities
• Apple's macOS 14 Sonoma Addresses Over 60 Security Issues

Latest News

• Cactus Ransomware Targets Qlik Sense Vulnerabilities to Infiltrate Networks
• Rhysida Ransomware Group Targets King Edward VII’s Hospital in London
• BLUFFS Bluetooth Attacks Pose Major Threat: A Researcher's Study
• Unpatched Vulnerabilities Detected in Ray Open Source Framework for AI/ML
• Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023