Apple has issued fixes for two actively exploited flaws in its WebKit browser engine. The fixes exist for Macs, iPhones and iPads.
According to Apple, one of the flaws (CVE-2023-42916) is an out-of-bounds read issue that can enable sensitive information disclosure when processing web content. The other flaw (CVE-2023-42917) is a memory corruption bug that can allow for arbitrary code execution when processing web content.
While vague on the exact details of the exploits, Apple said it "is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1” in its Thursday security updates.
The patches are available for macOS Sonoma (version 14.1.2), as well as Safari (version 17.1.2) on macOS Monterey and macOS Ventura. Additionally, updates are available on iOS 17.1.2 and iPadOS 17.1.2. Several older iPhone and iPad versions are impacted, including iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
Both flaws were discovered by Clément Lecigne of Google's Threat Analysis Group.
Apple’s fixes come on the heels of a rash of zero days in September, where it fixed actively exploited flaws across its kernel framework, security framework, Image I/O framework, Apple Wallet, and in WebKit. Two of these flaws were part of an exploit chain called BLASTPASS, which researchers said is capable of compromising iPhones running on the latest version of iOS (16.6) sans victim interaction.
No further details have been released about these most recent exploited flaws. Apple said CVE-2023-42916 was fixed with improved input validation, while CVE-2023-42917 was addressed through “improved locking.”