Apple addressed 2 new iOS zero-day vulnerabilities

Pierluigi Paganini November 30, 2023

Apple released emergency security updates to fix two actively exploited zero-day flaws impacting iPhone, iPad, and Mac devices.

Apple released emergency security updates to address two zero-day vulnerabilities impacting iPhone, iPad, and Mac devices. The flaws are actively exploited in attacks in the wild, both issues reside in the WebKit browser engine.

The first vulnerability, tracked as CVE-2023-42916, is an out-of-bounds read. An attacker can trick a victim into visiting specially crafted web content to disclose sensitive information.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.” the advisory.

The company addressed the flaw with improved input validation.

The second vulnerability, tracked as CVE-2023-42917, is a memory corruption vulnerability. An attacker can trick a victim into visiting specially crafted web content to potentially execute arbitrary code on the impacted devices.

The company addressed the flaw with improved locking.

Clément Lecigne of Google’s Threat Analysis Group discovered both vulnerabilities. The fact that the issues were discovered by Google TAG suggests they were exploited by a nation-state actor or by a surveillance firm.

Apple addressed the flaws with the release of , , and .

The vulnerabilities impact the following devices:

  • iPhone XS and later
  • iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
  • Macs running macOS Monterey, Ventura, Sonoma

The IT giant fixed 19 zero-day flaws from the start of the year.

The remaining seventeen vulnerabilities are

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, zero-day)



you might also like

leave a comment