Apple has issued emergency security updates to backport patches for two actively exploited zero-day flaws to older iPhones and some Apple Watch and Apple TV models.
The two vulnerabilities, now tracked as CVE-2023-42916 and CVE-2023-42917, were discovered within the WebKit browser engine, developed by Apple and used by the company's Safari web browser across its platforms.
They can let attackers obtain access to sensitive data through and execute arbitrary code using maliciously crafted webpages designed to exploit out-of-bounds and memory corruption bugs on unpatched devices.
Today, Apple addressed the zero-days in iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2 with improved input validation and locking.
iPhone 8 and later, iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Clément Lecigne, a security researcher from Google's Threat Analysis Group, discovered and reported both zero-day vulnerabilities.
Although Apple has yet to provide details about the vulnerabilities' exploitation in attacks, researchers at Google TAG have frequently identified and disclosed information on zero-day flaws employed in state-sponsored surveillance software attacks targeting high-profile individuals, including journalists, opposition figures, and dissidents.
CISA also ordered Federal Civilian Executive Branch agencies last week, on December 4, to patch their devices against these two security vulnerabilities based on evidence of active exploitation.
Three more zero-days in May. two zero-days in April.
Apple fixes two new iOS zero-days in emergency updates.
Apple fixes iOS Kernel zero-day vulnerability on older iPhones.
Google Chrome emergency update fixes 6th zero-day exploited in 2023.
Exploit released for critical Cisco IOS XE flaw, many hosts still hacked.
Cisco patches IOS XE zero-days used to hack over 50,000 devices.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 11 Dec 2023 19:30:26 +0000