Applehas issued emergency security updates to address two zero-day vulnerabilitiesthat were exploited in attacks, affecting iPhone, iPad, and Mac devices.Apple has issued emergency security updates to address two zero-day vulnerabilities that were exploited in attacks, affecting iPhone, iPad, and Mac devices. This brings the total number of patched zero-days to 20 since the beginning of the year.
In a Wednesday advisory, the company acknowledged a report indicating that the identified issue might have been exploited in versions of iOS prior to iOS 16.7.1.
The WebKit browser engine revealed two vulnerabilities (CVE-2023-42916 and CVE-2023-42917). These bugs enabled attackers to acquire sensitive information through an out-of-bounds read weakness and execute arbitrary code by exploiting a memory corruption bug on susceptible devices via carefully crafted webpages.
The company has addressed security vulnerabilities in devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 by implementing enhanced input validation and locking measures.
The extensive list of affected Apple devices includes:
• iPhone XS and newer models
• iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• Macs running macOS Monterey, Ventura, Sonoma
Although Apple has not provided details on ongoing exploitation in the wild, Google TAG researchers have frequently identified and disclosed zero-days employed in state-sponsored spyware attacks against high-risk individuals, including journalists, opposition politicians, and dissidents.
In 2023, a total of 20 zero-day vulnerabilities have been exploited in live attacks. The latest ones, CVE-2023-42916 and CVE-2023-42917, mark the 19th and 20th instances of such vulnerabilities that Apple has addressed this year.
Additionally, Google TAG revealed another zero-day flaw (CVE-2023-42824) affecting the XNU kernel, providing attackers with the capability to escalate privileges on iPhones and iPads.
Apple recently resolved three more zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) that were identified by researchers from both Citizen Lab and Google TAG. These vulnerabilities were exploited by threat actors to deploy the Predator spyware.
Moreover, a two additional zero-days were disclosed (CVE-2023-41061 and CVE-2023-41064) and fixed by Apple in September. These vulnerabilities were exploited as part of a zero-click exploit chain known as BLASTPASS, utilized for installing NSO Group's Pegasus spyware.
Throughout the year, Apple has consistently addressed security issues, including:
Two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
Three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
Three additional zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
Two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
Another WebKit zero-day (CVE-2023-23529) in February
