Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917)

With the latest round of security updates, Apple has fixed two zero-day WebKit vulnerabilities (CVE-2023-42916, CVE-2023-42917) that “may have been exploited against versions of iOS before iOS 16.7.1.”

CVE-2023-42916 CVE-2023-42917

About the vulnerabilities (CVE-2023-42916, CVE-2023-42917)

CVE-2023-42916 is a out-of-bounds read flaw, while CVE-2023-42917 is a vulnerability allowing for exploitable memory corruption.

Both affect WebKit, the Apple-developed browser engine used by the company’s Safari web browser and all web browsers on iOS and iPadOS.

CVE-2023-42916 may lead to disclosure of sensitive information, while CVE-2023-42917 allows arbitrary code execution. Both flaws can be triggered by Safari processing specially crafted web content.

Fixes are available

The vulnerabilities have been reported to Apple by security researcher Clément Lecigne, of Google’s Threat Analysis Group (TAG).

As is their wont, Apple did not disclose details about the attacks in which these zero-days have been exploited, but we know that Google TAG often uncovers zero-day vulnerabilities used to deliver state-sponsored spyware to targeted individuals (political dissidents, activists, and journalists).

Security updates with fixes for the two vulnerabilities are available for:

While the vulnerabilities have likely been exploited in extremely targeted attacks, all users are advised to implement these updates as soon as possible.

Apple says that vulnerabilities have been exploited against versions of iOS before 16.7.1, but does not say whether iOS 16.7.1 and iOS 16.7.2 (the most recent iOS 16 release) are vulnerable. If they are, Apple will likely soon push out new security updates for the iOS 16.

UPDATE (December 12, 2023, 04:50 a.m. ET):

Apple has backported the patches for CVE-2023-42916 and CVE-2023-42917 to iOS and iPadOS 16.7.3, and has added them to tvOS 17.2 and watchOS 10.2.

Don't miss