Apple has released emergency security updates to address two zero-day vulnerabilities that were actively exploited, bringing the total to 20 zero-days patched in the ongoing year. These vulnerabilities impacted a wide range of Apple devices, including iPhones, iPads, and Macs, necessitating swift action to protect users.
CVE-2023-42916 and CVE-2023-42917
The identified vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were situated within the WebKit browser engine, allowing attackers to compromise sensitive information through an out-of-bounds read weakness and achieve arbitrary code execution via a memory corruption bug. Apple responded promptly, acknowledging potential exploitation against iOS versions predating iOS 16.7.1.
The comprehensive list of affected Apple devices includes iPhone models from XS and later, iPad Pro generations, iPad Air, iPad, iPad mini, and various Macs running macOS Monterey, Ventura, and Sonoma.
Google’s Threat Analysis Group (TAG) played a pivotal role in uncovering these vulnerabilities, with security researcher Clément Lecigne leading the charge in reporting both zero-days. While Apple has not provided details on ongoing exploits, Google TAG researchers often expose zero-days linked to state-sponsored spyware campaigns targeting high-profile individuals like journalists, politicians, and dissidents.
Notably, CVE-2023-42916 and CVE-2023-42917 represent the 19th and 20th zero-day vulnerabilities addressed by Apple in 2023. Google TAG’s disclosure of another zero-day (CVE-2023-42824) targeting the XNU kernel revealed an exploit capable of escalating privileges on iPhones and iPads.
Apple’s dedication to cybersecurity was further underscored by the recent patching of three zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG. These vulnerabilities, once exploited, facilitated the deployment of the notorious Predator spyware by threat actors.
Citizen Lab’s revelations of two additional zero-days (CVE-2023-41061 and CVE-2023-41064) in September added complexity to the unfolding narrative. Exploited as part of the BLASTPASS zero-click exploit chain, these vulnerabilities were instrumental in installing NSO Group’s Pegasus spyware.
The timeline of Apple’s proactive responses extends back to February, where a WebKit zero-day (CVE-2023-23529) was swiftly addressed. Subsequent months witnessed a series of interventions, covering zero-days in July (CVE-2023-37450 and CVE-2023-38606), June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), May (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), and April (CVE-2023-28206 and CVE-2023-28205).