Apple released an important security update today for iPhone, iPad, and Mac. The list of fixes is short, but iOS 17.1.2 and macOS Sonoma 14.1.2 patch two web-based security flaws that have been actively exploited.
In the on-device release notes for these updates, Apple uses its typical boilerplate statement: “This update provides important security fixes and is recommended for all users.”
But Apple’s security updates page lists the details of the two exploited flaws – both of which were for WebKit and reported as actively exploited.
The first flaw used web processing to “disclose sensitive information,” and the second used web processing to allow for arbitrary code execution.
Here are the full details:
WebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: An out-of-bounds read was addressed with improved input validation.
WebKit Bugzilla: 265041
CVE-2023-42916: Clément Lecigne of Google’s Threat Analysis GroupWebKit
Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Description: A memory corruption vulnerability was addressed with improved locking.
WebKit Bugzilla: 265067
CVE-2023-42917: Clément Lecigne of Google’s Threat Analysis Group
Related:
- PSA: Update Chrome on Mac, as security flaw is being actively exploited
- Bluetooth security flaws allow connections to be hijacked on all devices since 2014
- PSA: Watch out for these fake Safari and Chrome updates infecting Macs with AMOS
- Flipper Zero can still crash iPhones running the latest version of iOS 17
FTC: We use income earning auto affiliate links. More.
Comments