Apple has released emergency security updates for its iOS [5] [8], iPadOS [1] [3] [4] [5] [6] [7] [8] [9], macOS [1] [3] [5] [7] [8] [9], and Safari web browser to address two zero-day vulnerabilities that have already been exploited by hackers. These vulnerabilities were reported by security researcher Clément Lecigne from Google’s Threat Analysis Group and were found in the WebKit browser engine used by Safari and other Apple web browsers.
Description
The vulnerabilities, known as CVE-2023-42916 and CVE-2023-42917 [2] [3] [8], allow attackers to gain access to sensitive information and execute arbitrary code on affected devices [5] [8]. Apple has released updates labeled iOS 17.1.2, iPadOS 17.1.2 [7], and Safari 17.1.2 for all supported versions of its operating systems, including iOS, macOS [1] [3] [5] [7] [8] [9], and iPadOS [1] [3] [4] [9]. It is recommended that users update their Apple devices to the latest versions to ensure safety.
The in-the-wild attacks appear to have targeted earlier versions of iOS, and it is unclear if iOS versions 16.7.1 and 16.7.2 are also vulnerable [2]. iPhones from the iPhone XS onwards [8], certain models of iPads [8], and Macs running specific versions of macOS are impacted by these vulnerabilities. Third-party web browsers on iOS and iPadOS are also vulnerable due to their use of the WebKit rendering engine [1].
Apple’s rapid response to these issues helps reduce the attack surface, but it is crucial for users and organizations to update their devices to eliminate any vulnerabilities. This release from Apple marks the remediation of 19 actively exploited zero-day vulnerabilities since the beginning of 2023. Additionally, Google recently patched a high-severity flaw in Chrome (CVE-2023-6345) that has also been targeted in real-world attacks [1].
Conclusion
The emergency security updates released by Apple address two zero-day vulnerabilities that have already been exploited by hackers [8]. It is important for users to update their Apple devices to the latest versions of iOS, iPadOS [1] [3] [4] [5] [6] [7] [8] [9], macOS [1] [3] [5] [7] [8] [9], and Safari to protect against these vulnerabilities [5]. The impact of these vulnerabilities extends to iPhones, iPads [4] [5] [6] [8] [9], and Macs [5] [6], as well as third-party web browsers on iOS and iPadOS [1]. Apple’s swift response helps mitigate the risk, but it is essential for users and organizations to stay vigilant and keep their devices updated to prevent any potential attacks.
References
[1] https://thehackernews.com/2023/12/zero-day-alert-apple-rolls-out-ios.html
[2] https://cyber.vumetric.com/security-news/2023/12/01/apple-patches-two-zero-days-used-to-target-ios-users-cve-2023-42916-cve-2023-42917/
[3] https://arstechnica.com/security/2023/11/google-researchers-report-critical-zero-days-in-chrome-and-all-apple-oses/
[4] https://support.apple.com/en-us/HT214031
[5] https://securityonline.info/apple-patches-two-new-ios-zero-days-cve-2023-42916-and-cve-2023-42917/
[6] https://www.mactech.com/2023/12/01/apple-security-expert-weighs-in-on-latest-emergency-security-updates/
[7] https://www.csoonline.com/article/1250374/apple-patches-info-stealing-zero-day-bugs-in-ipads-and-macs.html
[8] https://www.tomsguide.com/news/apple-issues-new-emergency-security-updates-for-iphones-and-macs-dont-skip-these-patches
[9] https://www.helpnetsecurity.com/2023/12/01/cve-2023-42916-cve-2023-42917/
