Skip to content

Apple fixes two zero-days affecting the WebKit browser engine

  • by
  • 2 min read

In the latest update, Apple released patches to fix two zero-day vulnerabilities — CVE-2023-42916 and CVE-2023-42917 — affecting several iPhone, iPad and Mac models.

Both vulnerabilities were reported to Apple by Clement Lecigne of Google’s Threat Analysis Group and made for about 20 zero-days patched by Apple in 2023.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple said in an advisory issued on November 30, 2023.

By exploiting CVE-2023-42916, an attacker could access sensitive information through an out-of-bounds read process. A program is tricked into reading data outside its limit in this attack.

Apple’s response was to improve input validation to fix the out-of-bounds read exploit.

The patch for CVE-2023-42916 has been released for iPhone XS and later, iPad Pro 12.9-inch 2nd generation or later, iPad Pro 10.5-inch,  iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later, and for Macs using macOS Monterey, Ventura and Sonoma.

On the other hand, CVE-2023-42917 is a memory corruption vulnerability. Memory corruption vulnerabilities are a type of security flaw that can occur in computer programs. They occur when a program accidentally or maliciously writes data to the wrong place in its memory, causing it to behave unpredictably or even crash.

Exploiting this vulnerability could lead to arbitrary code execution. Apple addressed this issue with improved locking.

In October, Apple released two updates for CVE-2023-42824 and CVE-2023-5217 flaws. In September, Apple fixed two more zero days disclosed by Citizen Lab: CVE-2023-41061 and CVE-2023-4106. These two vulnerabilities were exploited by the NSO’s group Pegasus mercenary spyware.

In July, Apple patched CVE-2023-38606, a kernel flaw, and CVE-2023-37450. Just a month before, Apple fixed yet another couple of flaws, including  CVE-2023-32434 and CVE-2023-32435, reported by Kaspersky. In June, Apple also fixed CVE-2023-32439. n March, Apple fixed a WebKit zero-day identified as CVE-2023-23529.

In the News: Proton Pass fortifies security with the Proton Sentinel program

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>