CyberSecurityBoard
Sponsor Register Login

WebKit security hole found The Register

Apple has issued emergency fixes to plug security flaws in iPhones, iPads, and Macs that may already be under attack.
The software updates for iOS, iPadOS, macOS Sonoma, and Safari web browser address two bugs: an out-of-bounds read flaw tracked as CVE-2023-42916, and a memory corruption vulnerability tracked as CVE-2023-42917.
Both are in the WebKit web browser engine - the heart of Safari, as found on iThings and Macs - and can be abused to access sensitive information and execute arbitrary code on vulnerable devices.
It appears a malicious webpage or similar content can exploit these holes: we imagine an attack would involve tricking a mark into a opening a page that then hijacks their equipment and snoops on them.
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
"Apple is aware of a report that this issue may have been exploited," the Silicon Valley corp said about both bugs in the November 30 security update.
While we don't have details about who may have been poking code in Apple devices, and what evil deeds they were likely doing, both were found by Clément Lecigne of Google's Threat Analysis Group.
TAG keeps a close eye on nation-state espionage crews, as well as commercial spyware vendors, and some of the earlier Apple bugs have been used to deploy Pegasus and TriangleDB snooping malware on compromised phones and computers.
In May, Cupertino fixed three other WebKit flaws under exploit that had also been spotted by Lecigne and Amnesty International.
These types of bugs tend to be exploited in targeted attacks against politicians, journalists, academics, activists and others.
Also this week: Google fixed a bug in its Chrome browser that Lecigne found.
This vulnerability, CVE-2023-6345, was also exploited by miscreants before Google issued the patch.
As with the Apple flaws, we don't have many details about the Chrome vulnerability, other than it's a high-severity integer overflow issue in Skia, a popular graphics library used by the browser.
If we had to bet, we'd put money on all of these being exploited by cyber snoops for espionage purposes.
So before you head into the weekend, it's probably a good idea to update everything.


This Cyber News was published on go.theregister.com. Publication date: Fri, 01 Dec 2023 23:06:56 +0000


Cyber News related to WebKit security hole found The Register

CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
7 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
7 years ago
CVE-2024-27080 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
1 year ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
7 months ago Tenable.com
CVE-2023-52911 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
1 year ago Feeds.dzone.com
Cybersecurity jobs available right now: October 2, 2024 - Help Net Security - As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to ...
8 months ago Helpnetsecurity.com
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
2 months ago Cybersecuritynews.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
1 year ago Esecurityplanet.com
10 Best Security Service Edge Solutions - Security Service Edge is an idea in cybersecurity that shows how network security has changed over time. With a focus on customized solutions, Security Service Edge Solutions leverages its expertise in multiple programming languages, frameworks, and ...
1 year ago Cybersecuritynews.com
Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
1 year ago Blog.checkpoint.com
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
1 year ago Go.theregister.com CVE-2023-34048 Hunters
What Is Cloud Security Management? Types & Strategies - Cloud security management is the process of safeguarding cloud data and operations from attacks and vulnerabilities through a set of cloud strategies, tools, and practices. The cloud security manager and the IT team are generally responsible for ...
1 year ago Esecurityplanet.com
CVE-2025-26603 - Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or ...
4 months ago Tenable.com
CVE-2024-42253 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
Key Breakthroughs from RSA Conference 2025 - Day 1 - Sumo Logic unveiled intelligent security operations with capabilities like detection-as-code (bringing DevSecOps to threat detection), UEBA historical baselining (improving accuracy by learning behavior over time), multiple threat intelligence feeds, ...
1 month ago Cybersecuritynews.com Inception
IaaS vs PaaS vs SaaS Security: Which Is Most Secure? - Security concerns include data protection, network security, identity and access management, and physical security. While IaaS gives complete control and accountability, PaaS strikes a compromise between control and simplicity, and SaaS provides a ...
1 year ago Esecurityplanet.com
Intel knew AVX chips were insecure and did nothing - Intel has been sued by a handful of PC buyers who claim the x86 goliath failed to act when informed five years ago about faulty chip instructions that allowed the recent Downfall vulnerability, and during that period sold billions of insecure chips. ...
1 year ago Theregister.com
CVE-2021-32793 - Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored ...
3 years ago
CVE-2024-42304 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
CVE-2022-48644 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
The First 10 Days of a vCISO’S Journey with a New Client - Cyber Defense Magazine - During this period, the vCISO conducts a comprehensive assessment to identify vulnerabilities, engages with key stakeholders to align security efforts with business objectives, and develops a strategic roadmap to prioritize actions and resources. If ...
8 months ago Cyberdefensemagazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)