Apple Rushes to Patch Two Zero-Day Vulnerabilities in Emergency Updates

November 30, 2023

Apple has rushed out emergency security patches to rectify two zero-day vulnerabilities that have been exploited in attacks. The vulnerabilities affect a range of devices including iPhones, iPads, and Macs. This action takes the count of zero-days patched by the tech giant since the year's start to 20. The company issued an advisory on Wednesday, acknowledging reports that these issues may have been exploited against earlier versions of iOS.

The two vulnerabilities were discovered in the WebKit browser engine, identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities potentially allow attackers to access sensitive information through an out-of-bounds read weakness and execute arbitrary code via a memory corruption bug on vulnerable devices. The attackers can exploit these vulnerabilities using maliciously crafted webpages.

Apple has addressed these security flaws in devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2, by improving input validation and locking. The list of Apple devices impacted by these vulnerabilities is extensive.

Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), identified and reported both zero-days. While Apple has not disclosed any information about ongoing exploitation in the wild, Google TAG researchers have frequently discovered and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

The two vulnerabilities, CVE-2023-42916 and CVE-2023-42917, are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple has fixed this year. Google TAG disclosed another zero-day bug, CVE-2023-42824, in the XNU kernel, which enables attackers to escalate privileges on vulnerable iPhones and iPads.

Apple recently patched three more zero-day bugs, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, reported by Citizen Lab and Google TAG researchers. These vulnerabilities were exploited by threat actors to deploy Predator spyware. Additionally, Citizen Lab disclosed two other zero-days, CVE-2023-41061 and CVE-2023-41064, which were fixed by Apple in September and were used as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware. Since the year's start, Apple has also patched a number of other vulnerabilities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.