Apple responded to the active exploitation of two zero-day vulnerabilities in the wild by swiftly issuing emergency security updates. Identified as CVE-2023-42916 and CVE-2023-42917, these vulnerabilities specifically impact the WebKit browser engine across iPhone, iPad, and Mac devices.
Notably, Apple has taken the second spot among the most targeted vendors in this year’s examination of the CISA Known Exploited Vulnerabilities (KEV) catalog, trailing behind Microsoft. The inclusion of these zero-day vulnerabilities has augmented Apple’s KEV score, with two additional entries still pending evaluation.
All about the vulnerability :
Apple characterizes the initial zero-day, CVE-2023-42916, as an out-of-bounds read issue capable of exposing sensitive information. Exploiting this vulnerability involves enticing victims to interact with specially crafted web content.
The second vulnerability, CVE-2023-42917, centers around memory corruption, granting attackers the ability to execute arbitrary code on targeted devices. This occurs by enticing victims to visit specifically designed web content.
As of now, no CVSS scores have been assigned to these vulnerabilities.
Clément Lecigne from Google’s Threat Analysis Group (TAG) discovered both CVE-2023-42916 and CVE-2023-42917. Apple recognizes that these zero-day vulnerabilities could be actively exploited, especially impacting iOS versions prior to 16.7.1.
Which Apple devices are impacted by CVE-2023-42916 and CVE-2023-42917?
Both the CVE-2023-42916 and CVE-2023-42917 vulnerabilities affect:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 6th generation and later
- iPad mini 5th generation and later
- Macs running macOS Monterey, Ventura, Sonoma
It is strongly recommended for Apple users to promptly update their devices to ensure optimal security and guard against potential exploitation of the vulnerabilities.
Ensure your Apple products are running the latest version by updating
Apple has swiftly tackled the vulnerabilities through the rollout of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.
Although additional details about CVE-2023-42916 and CVE-2023-42917 are not provided, Apple’s advisory emphasizes that CVE-2023-42916 has been addressed with enhanced input validation. Moreover, CVE-2023-42917 has been resolved through the implementation of improved locking mechanisms.