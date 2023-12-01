Americas

  • United States

Asia

Europe

Oceania

Popular Topics

Topics

About

Policies

Our Network

More

HomeApple patches info-stealing, zero day bugs in iPads and Macs
Shweta Sharma
by Shweta Sharma
Senior Writer

Apple patches info-stealing, zero day bugs in iPads and Macs

News
Dec 01, 20233 mins
Zero-day vulnerability

The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild.

macbook
Credit: IDG

Apple has released patches for a couple of security issues found within its Webkit web browser engine that the iPhone maker believes have had zero day exploitations.

Tracking them as CVE-2023-42916, and CVE-2023-42917, Apple said these vulnerabilities can be exploited while processing web content to leak sensitive information and execute arbitrary codes, respectively.

"Apple is aware of report(s) that the issue(s) may have been exploited against versions of iOS before iOS 16.7.1," Apple said in the software release note.

To address the bugs, Apple has released patched updates for iOS, iPadOS, macOS, and Safari web browser.

Flaws allow info stealing and arbitrary code execution

Apple described that the CVE-2023-42916 allowed reading out-of-bounds memory while processing web content through an affected Webkit that could be exploited to leak sensitive browser information. CVE-2023-42917 was tagged as a memory corruption bug that could allow arbitrary code execution.

CVE-2023-42916 and CVE-2023-42917 were respectively patched with improved input validation and locking, according to Apple.

Clement Lecigne of Google’s Threat Analysis Group (TAG) was credited for discovering and reporting the flaws.

Apple did not share the exact nature of the exploits discovered in the wild. "For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available," Apple said.

The patches dubbed iOS 17.1.2, iPadOS 17.1.2, and Safari 17.1.2, have been released for a range of Apple devices suspected of carrying these vulnerabilities.

Webkit serves as a lucrative attack surface

Apple restricts third-party web browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, and others, to use any other browser engine than Webkit which makes it the prime target for attackers looking to infect Apple devices.

A new proof of concept (PoC) exploit published recently has been demonstrated by a group of US and German university professors to steal sensitive user data from Apple devices by improving on side channel attack techniques used by Spectre and MeltDown, which alarmed CISOs when the vulnerabilities first surfaced in 2018.

Apple has had a busy year of patches with several bugs in its devices being exploited in the wild. Earlier in June, the company patched a couple of remote code execution (RCE) zero days that were allegedly exploited under a digital spy campaign, Operation Triangulation.

Shweta Sharma
by Shweta Sharma
Senior Writer

Shweta Sharma is a senior journalist covering enterprise information security and digital ledger technologies for IDG’s CSO Online, Computerworld, and other enterprise sites.

More from this author

Most popular authors

Show me more

news

Apple patches info-stealing, zero day bugs in iPads and Macs

By Shweta Sharma
Dec 01, 20233 mins
Zero-day vulnerability
Image
news

Top cybersecurity product news of the week

By CSO staff
Nov 30, 202317 mins
Generative AISecurity
Image
feature

How to maintain a solid cybersecurity posture during a natural disaster

By James Careless
Nov 30, 20238 mins
Security Operations CenterData and Information SecuritySecurity Practices
Image
podcast

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Nov 20, 202315 mins
CSO and CISO
Image
podcast

CSO Executive Sessions Australia with Robbie Whittome, CISO at Curtin University

Oct 16, 202315 mins
CSO and CISO
Image
podcast

CSO Executive Sessions / ASEAN: Cisco's Anthony Grieco on opportunities in Southeast Asia's cybersecurity landscape

Oct 10, 202316 mins
CSO and CISO
Image
video

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Nov 20, 202315 mins
CSO and CISO
Image
video

AI and Cybersecurity: Speed Bumps, Training, and Communication

Nov 06, 202317 mins
CyberattacksGenerative AI
Image
video

CSO Executive Sessions Australia with Robbie Whittome

Oct 16, 202315 mins
CSO and CISO
Image