Apple Addresses Exploited Zero-Day Vulnerabilities with Emergency Security Update: CVE-2023-42916, CVE-2023-42917
[Update] December 13, 2023: See the subheading “Apple Zero-Day Vulnerabilities Are Now Also Patched for Older Devices.”
[Update] December 5, 2023: See the subheading “CISA Lists Apple Zero-Day Vulnerabilities Under KEV Catalog.”
Apple has released emergency security updates to counteract two zero-day vulnerabilities actively exploited in the wild. Tracked as CVE-2023-42916 and CVE-2023-42917, these vulnerabilities affect the WebKit browser engine on iPhone, iPad, and Mac devices.
Significantly, Apple emerged as the second most targeted vendor in this year’s review of the CISA Known Exploited Vulnerabilities (KEV) catalog, following Microsoft. These zero-day vulnerabilities contribute to Apple’s KEV score, with two more additions yet to be accounted for.
Apple defines the first zero-day, CVE-2023-42916, as an out-of-bounds read issue. It can allow attackers to disclose sensitive information by luring victims to specially crafted web content.
The second vulnerability, CVE-2023-42917, involves memory corruption, enabling attackers to execute arbitrary code on targeted devices after luring victims into visiting specially crafted web content.
Currently, no CVSS scores have been assigned to these vulnerabilities.
Both CVE-2023-42916 and CVE-2023-42917 were uncovered by Clément Lecigne from Google’s Threat Analysis Group (TAG). Apple acknowledges that these zero-day vulnerabilities may be under active exploitation, particularly affecting iOS versions preceding 16.7.1.
Which Apple Devices Are Affected by CVE-2023-42916 and CVE-2023-42917?
Both the CVE-2023-42916 and CVE-2023-42917 vulnerabilities affect:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch
- iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 6th generation and later
- iPad mini 5th generation and later
- Macs running macOS Monterey, Ventura, Sonoma
Apple users are strongly advised to update their devices promptly to ensure optimal security against the exploitation of the vulnerabilities.
CISA Lists Apple Zero-Day Vulnerabilities Under KEV Catalog
Based on evidence of active exploitation, CISA has incorporated the recent Apple zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) into the Known Exploited Vulnerabilities (KEV) Catalog. The agency is urging organizations to promptly patch these vulnerabilities before the due date of December 25, 2023.
Update Your Apple Products to the Latest Version
Apple has promptly addressed the vulnerabilities with the release of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.
While no further information is available about CVE-2023-42916 and CVE-2023-42917, Apple’s advisory highlights that CVE-2023-42916 was resolved with improved input validation. Additionally, CVE-2023-42917 was resolved through enhanced locking mechanisms.
Empowering Defense with SOCRadar’s Vulnerability Intelligence
With SOCRadar XTI, you can receive real-time alerts for critical vulnerabilities or exploits targeting specific product components and technologies within your digital footprint.
Moreover, SOCRadar’s Vulnerability Intelligence serves as an invaluable asset, keeping you abreast of vulnerabilities targeted by threat actors. It provides actionable insights and context, expediting assessment and verification processes for enhanced cybersecurity measures.