Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday. The two bugs were found in the WebKit browser engine, allowing attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices via maliciously crafted webpages. The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with improved input validation and locking. iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. Security researcher Clément Lecigne of Google's Threat Analysis Group found and reported both zero-days. While Apple has not released information regarding ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents. CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year. Google TAG disclosed another zero-day bug in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads. Apple recently patched three more zero-day bugs reported by Citizen Lab and Google TAG researchers and exploited by threat actors to deploy Predator spyware. Citizen Lab disclosed two other zero-days, fixed by Apple in September and abused as part of a zero-click exploit chain to install NSO Group's Pegasus spyware. Three more zero-days in May. two zero-days in April. Apple emergency update fixes new zero-day used to hack iPhones. Apple fixes iOS Kernel zero-day vulnerability on older iPhones. Get more done with this refurbished 32GB iPad for less than $170. Save $30 on the iScanner app and turn paper into digital documents. Google Chrome emergency update fixes 6th zero-day exploited in 2023.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 20:24:55 +0000