You can now find Cyber Kendra on Google News!

Apple Fix Critical iOS Zero-Day Flaws With Emergency Patch

iOS Zero-Day Flaws

Apple has released urgent software updates to patch two actively exploited zero-day vulnerabilities impacting iPhones, iPads, and Macs running iOS, iPadOS, macOS, and Safari.

The flaws could enable hackers to execute malicious code or access sensitive user information by getting users to visit a malicious website. Apple said it was "aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1."

Actively Exploited WebKit Browser Engine Bugs

Both vulnerabilities exist in WebKit, the browser engine that powers Safari and all web content displayed in apps on Apple devices.

The flaws are:

  1. CVE-2023-42916: A memory corruption issue that could allow arbitrary code execution.
  2. CVE-2023-42917: An out-of-bounds read issue that could disclose sensitive user information.

By convincing a user to visit a malicious website, attackers could leverage these flaws to compromise devices running vulnerable Apple software before patches were released.

The list of impacted Apple devices and software is extensive. Vulnerable devices include:

  • iPhone XS and later
  • iPad Pro 12.9-inch 2nd generation and later
  • iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
  • iPad Air 3rd generation and later, iPad 6th generation and later
  • iPad mini 5th generation and later

Vulnerable software versions include:

  • iOS up to 16.7.1
  • iPadOS up to 16.7.1
  • macOS Monterey, Ventura, Sonoma
  • Safari up to 17.1.1

To protect devices, Apple has released software updates iOS 17.1.2, iPadOS 17.1.2, macOS 14.1.2, and Safari 17.1.2. Users should install these patches immediately.

Discovery and Reporting

Both flaws were discovered and reported to Apple by Clément Lecigne of  Google Threat Analysis Group (TAG). While specific exploitation details are unknown, Google TAG has a track record of finding and reporting zero days tied to commercial spyware and nation-state hacking.

An Escalating Zero-Day Crisis

So far in 2023, Apple has patched 20 zero-day flaws that were being actively exploited in attacks - an extremely high number indicating the company is facing an escalating zero-day crisis.

Other high-profile examples this year include:

  • Zero days exploited by Predator spyware, disclosed by Citizen Lab and Google TAG
  • Zero days enabling Pegasus spyware infection via a zero-click iMessage attack

Additional kernel and WebKit browser zero-days with unclear attribution

The rapid proliferation of commercial spyware vendors and increased capabilities of nation-state hackers appear to be fueling a surge in zero-day attacks targeting Apple’s historically strong security posture.

While Apple’s quick patching response helps limit some risks, users should remain vigilant, keep devices updated, and practice good security hygiene to mitigate sophisticated hacking threats.

The extremely high number of in-the-wild exploits this year underscores iOS, iPadOS, and macOS have become priority targets for well-resourced and motivated adversaries. Users and organizations relying on Apple devices for sensitive communications or data should consider adopting a defence-in-depth security model to reduce the attack surface.

Post a Comment