Apple Patches Actively Exploited iOS Zero-Days

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Apple has been forced to patch yet another pair of zero-day vulnerabilities, bringing the total for the year to 20.

The tech giant said that the two bugs in its WebKit browser engine were being actively exploited in the wild.

The first vulnerability, CVE-2023-42916, is found in a range of Apple products: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

The flaw is described as an “out-of-bounds read” which Apple addressed with improved input validation.

“Processing web content may disclose sensitive information,” Apple said of its impact.

Read more on Apple zero-days: Apple Issues Emergency Patches for More Zero-Day Bugs

The second vulnerability, CVE-2023-42917, is a memory corruption flaw in WebKit which was addressed with “improved locking.” 

It is present in the same list of products as the first vulnerability.

“Processing web content may lead to arbitrary code execution,” Apple said of the flaw.

Both bugs were discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a researcher and an organization known for finding vulnerabilities and exploits used in commercial spyware operations.

Just this week, he was cited by Google in a Chrome update for finding CVE-2023-6345, an integer overflow issue in open source 2D graphics library Skia, linked to similar state-sponsored activity.

The continued discovery of zero-day vulnerabilities in Apple kit, frequently researched by commercial spyware organizations to deliver eavesdropping capabilities to targeted devices, hint that such operations are still very much alive and well despite Western pressure.

The US has placed organizations like NSO Group on trade blacklists in an attempt to stifle their business, and in March President Biden approved an executive order (EO) banning government use of any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.

Image credit: NYC Russ / Shutterstock.com

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

MDR: Unlocking the power of enterprise-grade security for businesses of all sizes
Millions of Malicious ‘Imageless’ Containers Planted on Docker Hub Over 5 Years
Why space exploration is important for Earth and its future: Q&A with David Eicher
The vision behind Starmus – A Q&A with the festival’s co-founder Garik Israelian
State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *