Apple has released an emergency security update for patching two actively exploited zero-day vulnerabilities on iOS. The vulnerabilities were discovered earlier this month and are tracked as CVE-2023-42916, and CVE-2023-42917 affected many Apple products.
The security advisory from Apple has patched several vulnerabilities. Two of the most common vulnerabilities patched on this emergency update were CVE-2023-42890 and CVE-2023-42883.
All of these vulnerabilities existed in the WebKit browser engine of several Apple products such as macOS, iOS, and iPadOS.
CVE-2023-42916: Out of Bounds Read Vulnerability
This vulnerability exists in WebKit of iOS, iPadOS, macOS, and Safari, allowing a threat actor to perform an out-of-bounds read that could disclose sensitive information when processing web content. This vulnerability has been given a severity of 6.5 (Medium).
Apple has patched this vulnerability and implemented a proper input validation to prevent it.
Products affected by this vulnerability include iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
CVE-2023-42917: Memory Corruption Vulnerability
This vulnerability exists in the WebKit of iOS, iPadOS, macOS, and Safari, allowing an attacker to execute arbitrary code when processing web content.
The severity for this vulnerability has been given as 8.8 (High). Apple stated that they have patched this vulnerability by improving the locking.
Products affected by this vulnerability include iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Both of these vulnerabilities have been added to the CISA’s Known Exploited Vulnerability catalog to provide awareness to all the users of these products.
Apple urges its users to update their Apple products to the latest version to patch these vulnerabilities and prevent them from becoming victims of cybercriminals.