Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Trending 2 months ago

Apple has issued emergency fixes to bung aegis flaws in iPhones, iPads, and Macs that may already be beneath attack.

The software updates for iOS, iPadOS, macOS Sonoma, and Safari web browser abode two bugs: an out-of-bounds apprehend blemish tracked as CVE-2023-42916, and a anamnesis bribery vulnerability tracked as CVE-2023-42917. 

Both are in the WebKit web browser agent – the affection of Safari, as begin on iThings and Macs – and can be abused to acceptance acute advice (CVE-2023-42916) and assassinate approximate cipher (CVE-2023-42917) on accessible devices. It appears a awful webpage or agnate agreeable can accomplishment these holes: we brainstorm an advance would absorb tricking a mark into a aperture a folio that again hijacks their accessories and snoops on them.

The account of afflicted accessories is long, and includes:

  • iPhone XS and later
  • iPad Pro 12.9-inch 2nd bearing and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st bearing and later, iPad Air 3rd bearing and later, iPad 6th bearing and later, and iPad mini 5th bearing and later
  • Macs active macOS Monterey, Ventura, Sonoma

"Apple is acquainted of a address that this affair may accept been exploited," the Silicon Valley corp said about both bugs in the November 30 aegis update.

While we don't accept capacity about who may accept been dabbling cipher in Apple devices, and what angry accomplishments they were acceptable doing, both were begin by Clément Lecigne of Google's Threat Analysis Group (TAG).

TAG keeps a abutting eye on nation-state espionage crews, as able-bodied as bartering spyware vendors, and some of the beforehand Apple bugs accept been acclimated to arrange Pegasus and TriangleDB concern malware on compromised phones and computers. 

  • Apple drops burning application adjoin birdbrained TriangleDB iPhone malware
  • Apple opens anniversary applications for chargeless hackable iPhones
  • Uh-oh, amend Google Chrome – accomplishment already out there for one of these 6 aegis holes
  • Plex gives admirers a aloofness circuitous afterwards administration examination habits with accompany by default

In May, Cupertino anchored three added WebKit flaws beneath exploit that had additionally been spotted by Lecigne and Amnesty International. These types of bugs tend to be exploited in targeted attacks adjoin politicians, journalists, academics, activists and others.

And additionally this week: Google anchored a bug in its Chrome browser that Lecigne found. This vulnerability, CVE-2023-6345, was additionally exploited by miscreants afore Google issued the patch.

As with the Apple flaws, we don't accept abounding capacity about the Chrome vulnerability, added than it's a high-severity accumulation overflow affair in Skia, a accepted cartoon library acclimated by the browser. But if we had to bet, we'd put money on all of these actuality exploited by cyber snoops for espionage purposes.

So afore you arch into the weekend, it's apparently a acceptable abstraction to amend everything. ®