Two significant vulnerabilities have been identified in the WebKit web browser engine, impacting a range of Apple devices and operating systems. These vulnerabilities are critical and require immediate attention.
- CVE-2023-42916: This is an out-of-bounds read issue in WebKit. It presents a risk of leaking sensitive information when processing web content. Such a vulnerability can be exploited to access data that should normally be off-limits, potentially exposing personal or confidential information.
- CVE-2023-42917: This vulnerability is a memory corruption bug within WebKit. It is particularly concerning because it could lead to arbitrary code execution. When exploited, it allows attackers to run their own code on the affected device, leading to a range of possible attacks, including system takeover, data manipulation, or further spreading of malware.
Apple has acknowledged these vulnerabilities and released updates for a range of devices. Users are urged to update their devices to the latest versions as soon as possible to mitigate these risks.
- iOS 17.1.2 and iPadOS 17.1.2: This update applies to iPhone XS and later models, iPad Pro (12.9-inch, 2nd generation and later), iPad Pro (10.5-inch), iPad Pro (11-inch, 1st generation and later), iPad Air (3rd generation and later), iPad (6th generation and later), and iPad mini (5th generation and later).
- macOS Sonoma 14.1.2: Users running macOS Sonoma on their Macs should update to this version. It contains fixes specifically targeted at these WebKit vulnerabilities.
- Safari 17.1.2: For Mac users running macOS Monterey and macOS Ventura, updating Safari to version 17.1.2 is crucial for securing their browsing experience.
In 2023, Apple has been actively addressing a significant number of zero-day vulnerabilities, with CVE-2023-42916 and CVE-2023-42917 marking the 19th and 20th such issues fixed by the company.
Google’s Threat Analysis Group (TAG) revealed CVE-2023-42824, a critical zero-day bug in the XNU kernel affecting iPhones and iPads, which could allow attackers to escalate privileges.
Three additional zero-day vulnerabilities – CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 – were patched following reports from Citizen Lab and Google TAG. These bugs were exploited by threat actors to deploy the Predator spyware.
Citizen Lab also disclosed two zero-day vulnerabilities, CVE-2023-41061 and CVE-2023-41064, which Apple addressed in September. These vulnerabilities were part of a zero-click exploit chain, named BLASTPASS, used to install the notorious Pegasus spyware developed by NSO Group. For more information on BLASTPASS, check out Netizen’s report on the set of vulnerabilities.
Additionally, eleven other zero-days have been patched by Apple in 2023, including:
- Two in July: CVE-2023-37450 and CVE-2023-38606.
- Three in June: CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439.
- Three more in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
- Two in April: CVE-2023-28206 and CVE-2023-28205.
- An additional WebKit zero-day, CVE-2023-23529, patched in February.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –