With the latest round of security updates, Apple has fixed two zero-day WebKit vulnerabilities (CVE-2023-42916, CVE-2023-42917) that “may have been exploited against versions of iOS before iOS 16.7.1.”
About the vulnerabilities (CVE-2023-42916, CVE-2023-42917)
CVE-2023-42916 is a out-of-bounds read flaw, while CVE-2023-42917 is a vulnerability allowing for exploitable memory corruption.
Both affect WebKit, the Apple-developed browser engine used by the company’s Safari web browser and all web browsers on iOS and iPadOS.
CVE-2023-42916 may lead to disclosure of sensitive information, while CVE-2023-42917 allows arbitrary code execution. Both flaws can be triggered by Safari processing specially crafted web content.
Fixes are available
The vulnerabilities have been reported to Apple by security researcher Clément Lecigne, of Google’s Threat Analysis Group (TAG).
As is their wont, Apple did not disclose details about the attacks in which these zero-days have been exploited, but we know that Google TAG often uncovers zero-day vulnerabilities used to deliver state-sponsored spyware to targeted individuals (political dissidents, activists, and journalists).
Security updates with fixes for the two vulnerabilities are available for:
While the vulnerabilities have likely been exploited in extremely targeted attacks, all users are advised to implement these updates as soon as possible.
Apple says that vulnerabilities have been exploited against versions of iOS before 16.7.1, but does not say whether iOS 16.7.1 and iOS 16.7.2 (the most recent iOS 16 release) are vulnerable. If they are, Apple will likely soon push out new security updates for the iOS 16.