Apple patches two new iOS zero-days – CVE-2023-42916 and CVE-2023-42917

Apple has released emergency security updates to address two zero-day vulnerabilities that could be exploited by attackers to gain access to sensitive information or execute arbitrary code on affected devices. These vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, reside in the WebKit browser engine, which is used by Safari and other web browsers on Apple devices.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” the company said in an advisory

The discovery of these vulnerabilities can be credited to the vigilance and expertise of Clément Lecigne from Google’s Threat Analysis Group (TAG).

Vulnerability Details

• CVE-2023-42916: An out-of-bounds read vulnerability could allow attackers to read sensitive information from the affected device’s memory.

• CVE-2023-42917: A memory corruption vulnerability could allow attackers to execute arbitrary code on the affected device.

Affected Devices

The following Apple devices are affected by these vulnerabilities:

• iPhone: iPhone XS and later

• iPad: iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

• Mac: Macs running macOS Monterey, Ventura, or Sonoma

Mitigation

Apple has released security updates for iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 that address these vulnerabilities. Users are strongly encouraged to install these updates as soon as possible.

Additional Recommendations

In addition to installing the security updates, users can also take the following steps to protect themselves from these vulnerabilities:

• Be cautious when clicking on links or opening attachments in emails from unknown senders.

• Only download software from trusted sources.

• Keep your devices up to date with the latest security patches.