Apple has patched two zero-day vulnerabilities affecting iOS, iPadOS and macOS; users are advised to update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. The vulnerabilities were discovered by Google’s Threat Analysis group, which has been working on fixes for active Chrome vulnerabilities this week as well.
Jump to:
- What are these Apple OS vulnerabilities?
- Remediation and protection against the WebKit exploits
- A busy week for the Google Threat Analysis group
What are these Apple OS vulnerabilities?
“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” according to Apple’s post about the security updates on Nov. 30. This implies that attackers may be actively using the vulnerabilities.
Apple’s update said the problem originated in WebKit, the engine used for Apple’s browsers, where “processing web content may lead to arbitrary code execution.” The updates fix an out-of-bounds read through improved input validation and repair a memory corruption vulnerability using improved locking.
SEE: Attackers have launched eavesdropping attacks on Apple devices over the last year. (TechRepublic)
The first vulnerability, the out-of-bounds read, is tracked as CVE-2023-42916. The update addressing it is available for:
- iPhone XS and later.
- iPad Pro 12.9-inch 2nd generation and later.
- iPad Pro 10.5-inch.
- iPad Pro 11-inch 1st generation and later.
- iPad Air 3rd generation and later.
- iPad 6th generation and later.
- iPad mini 5th generation and later.
The second vulnerability, the memory corruption, is tracked as CVE-2023-42917. The update addressing it is available for:
- iPhone XS and later.
- iPad Pro 12.9-inch 2nd generation and later.
- iPad Pro 10.5-inch.
- iPad Pro 11-inch 1st generation and later.
- iPad Air 3rd generation and later.
- iPad 6th generation and later.
- iPad mini 5th generation and later.
Information is sparse about the vulnerabilities, which Apple said were investigated by Clément Lecigne at Google’s Threat Analysis Group; the group’s stated mission is to “counter government-backed attacks.”
Remediation and protection against the WebKit exploits
Apple users should be sure they are running the latest version of their operating system, as a general security best practice as well as in the case of active vulnerabilities such as these. Apple has provided a complete list of the most up-to-date software updates.
A busy week for the Google Threat Analysis Group
The Google Threat Analysis Group also spotted and fixed an out of bounds memory access and six other vulnerabilities in Google Chrome earlier this week. On Nov. 28, Google announced a Chrome update to address the following:
- Type Confusion in Spellcheck.
- Use after free in Mojo.
- Use after free in WebAudio.
- Out of bounds memory access in libavif.
- Use after free in libavif.
- Integer overflow in Skia.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” the Chrome team wrote in the post about the security update.
TechRepublic contacted Apple and Google for commentary about this story. Apple referred us to the security release notes; Google has not responded at the time of publication.