Apple emergency updates fix recent zero-days on older iPhones

Trending 2 months ago

Apple has issued emergency aegis updates to backport patches for two actively exploited zero-day flaws to earlier iPhones and some Apple Watch and Apple TV models.

"Apple is acquainted of a address that this affair may accept been exploited adjoin versions of iOS afore iOS 16.7.1," the aggregation said in security advisories published on Monday.

The two vulnerabilities, now tracked as CVE-2023-42916 and CVE-2023-42917, were apparent aural the WebKit browser engine, developed by Apple and acclimated by the company's Safari web browser across its platforms (e.g., macOS, iOS, iPadOS).

They can let attackers obtain acceptance to acute abstracts through and assassinate approximate cipher application maliciously crafted webpages advised to exploit out-of-bounds and anamnesis bribery bugs on unpatched devices.

Today, Apple addressed the zero-days in iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2 with bigger ascribe validation and locking.

The aggregation says the bugs are now additionally patched on the afterward account of devices:

  • iPhone 8 and later, iPad Pro (all models), iPad Air 3rd bearing and later, iPad 5th bearing and later, and iPad mini 5th bearing and later
  • Apple TV HD and Apple TV 4K (all models)
  • Apple Watch Series 4 and later

Clément Lecigne, a aegis researcher from Google's Threat Analysis Group (TAG), apparent and appear both zero-day vulnerabilities.

Although Apple has yet to accommodate capacity about the vulnerabilities' exploitation in attacks, advisers at Google TAG accept frequently articular and appear advice on zero-day flaws employed in state-sponsored surveillance software attacks targeting high-profile individuals, including journalists, action figures, and dissidents.

CISA also ordered Federal Civilian Executive Branch (FCEB) agencies aftermost week, on December 4, to application their accessories adjoin these two aegis vulnerabilities based on affirmation of breath exploitation.

Since the alpha of the year, Apple has patched 20 zero-day vulnerabilities exploited in attacks:

  • two zero-days (CVE-2023-42916 and CVE-2023-42917) in November
  • two zero-day (CVE-2023-42824 and CVE-2023-5217) in October
  • five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September
  • two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
  • three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
  • three added zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
  • two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
  • and another WebKit zero-day (CVE-2023-23529) in February