Apple responds to zero-day vulnerabilities with hotfixes

Apple has released urgent security updates to fix two zero-day vulnerabilities affecting iPhone, iPad and Mac devices. These are the 19th and 20th such vulnerabilities addressed since the beginning of the year. According to Apple, versions prior to iOS 16.7.1 may have been subject to attacks exploiting these security flaws, signaling timely intervention to prevent further exploits.

Identification and impact of security flaws

The vulnerabilities identified, identified as CVE-2023-42916 and CVE-2023-42917, reside in the WebKit rendering engine. Attacks via malicious web pages could lead to unauthorized memory reading and arbitrary code execution. Apple has mitigated the issues with updates that introduce improved input validation and strengthened security mechanisms, available for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.

List of affected Apple devices

The updates affect a broad spectrum of Apple devices, which include: iPhone starting from the XS model, various generations of iPad Pro, iPad Air from the third generation onwards, iPad from the sixth generation and iPad mini from the fifth. Macs with macOS Monterey, Sonoma and Ventura also need the update. The flaws were discovered and reported by Clément Lecigne of the Google Threat Analysis Group (TAG).

Zero-day vulnerability situation in 2023

The CVE-2023-42916 and CVE-2023-42917 vulnerabilities are just the latest in a series of zero-days faced by Apple this year. Previously, Google's TAG also revealed another flaw (CVE-2023-42824) in the XNU kernel, while Citizen Lab and Google TAG discovered three vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE- 2023-41993) exploited to spread the Predator malware. Since the beginning of the year, Apple has also patched other zero-day vulnerabilities, demonstrating an ongoing focus and commitment to protecting its users against such threats.