Apple fixes two new iOS zero-days in emergency updates

Trending 3 months ago


Apple appear emergency aegis updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, extensive 20 zero-days patched back the alpha of the year.

"Apple is acquainted of a address that this affair may accept been exploited adjoin versions of iOS afore iOS 16.7.1," the aggregation said in an advising issued on Wednesday.

The two bugs were begin in the WebKit browser agent (CVE-2023-42916 and CVE-2023-42917), acceptance attackers to accretion acceptance to acute advice via an out-of-bounds apprehend weakness and accretion approximate cipher beheading via a anamnesis bribery bug on accessible accessories via maliciously crafted webpages.

The aggregation says it addressed the aegis flaws for accessories active iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with bigger ascribe validation and locking.

The account of impacted Apple accessories is absolutely extensive, and it includes:

  • iPhone XS and later
  • iPad Pro 12.9-inch 2nd bearing and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st bearing and later, iPad Air 3rd bearing and later, iPad 6th bearing and later, and iPad mini 5th bearing and later
  • Macs active macOS Monterey, Ventura, Sonoma

Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) begin and appear both zero-days.

While Apple has not appear advice apropos advancing corruption in the wild, Google TAG advisers accept generally begin and appear zero-days acclimated in state-sponsored spyware attacks adjoin high-risk individuals, such as journalists, action politicians, and dissidents.

20 zero-days exploited in the agrarian anchored in 2023

CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple anchored this year.

Google TAG appear addition zero-day bug (CVE-2023-42824) in the XNU kernel, enabling attackers to amplify privileges on accessible iPhones and iPads.

Apple afresh patched three added zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) appear by Citizen Lab and Google TAG advisers and exploited by blackmail actors to arrange Predator spyware.

Citizen Lab appear two added zero-days (CVE-2023-41061 and CVE-2023-41064), anchored by Apple in September and abused as allotment of a zero-click accomplishment alternation (dubbed BLASTPASS) to install NSO Group's Pegasus spyware.

Since the alpha of the year, Apple has additionally patched:

  • two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
  • three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
  • three added zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
  • two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
  • and another WebKit zero-day (CVE-2023-23529) in February