Apple recommends customers replace to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. Google’s Menace Evaluation Group found these safety bugs.
Apple has patched two zero-day vulnerabilities affecting iOS, iPadOS and macOS; customers are suggested to replace to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. The vulnerabilities have been found by Google’s Menace Evaluation group, which has been engaged on fixes for energetic Chrome vulnerabilities this week as nicely.
Bounce to:
What are these Apple OS vulnerabilities?
“Apple is conscious of a report that this subject might have been exploited in opposition to variations of iOS earlier than iOS 16.7.1,” based on Apple’s submit concerning the safety updates on Nov. 30. This means that attackers could also be actively utilizing the vulnerabilities.
Apple’s replace mentioned the issue originated in WebKit, the engine used for Apple’s browsers, the place “processing net content material might result in arbitrary code execution.” The updates repair an out-of-bounds learn by improved enter validation and restore a reminiscence corruption vulnerability utilizing improved locking.
SEE: Attackers have launched eavesdropping assaults on Apple gadgets during the last 12 months. (TechRepublic)
The primary vulnerability, the out-of-bounds learn, is tracked as CVE-2023-42916. The replace addressing it’s accessible for:
- iPhone XS and later.
- iPad Professional 12.9-inch 2nd era and later.
- iPad Professional 10.5-inch.
- iPad Professional 11-inch 1st era and later.
- iPad Air third era and later.
- iPad sixth era and later.
- iPad mini fifth era and later.
The second vulnerability, the reminiscence corruption, is tracked as CVE-2023-42917. The replace addressing it’s accessible for:
- iPhone XS and later.
- iPad Professional 12.9-inch 2nd era and later.
- iPad Professional 10.5-inch.
- iPad Professional 11-inch 1st era and later.
- iPad Air third era and later.
- iPad sixth era and later.
- iPad mini fifth era and later.
Info is sparse concerning the vulnerabilities, which Apple mentioned have been investigated by Clément Lecigne at Google’s Menace Evaluation Group; the group’s said mission is to “counter government-backed assaults.”
Remediation and safety in opposition to the WebKit exploits
Apple customers ought to make certain they’re working the newest model of their working system, as a normal safety greatest observe in addition to within the case of energetic vulnerabilities corresponding to these. Apple has supplied an entire checklist of probably the most up-to-date software program updates.
A busy week for the Google Menace Evaluation Group
The Google Menace Evaluation Group additionally noticed and stuck an out of bounds reminiscence entry and 6 different vulnerabilities in Google Chrome earlier this week. On Nov. 28, Google introduced a Chrome replace to deal with the next:
- Kind Confusion in Spellcheck.
- Use after free in Mojo.
- Use after free in WebAudio.
- Out of bounds reminiscence entry in libavif.
- Use after free in libavif.
- Integer overflow in Skia.
“We’d additionally wish to thank all safety researchers that labored with us through the growth cycle to forestall safety bugs from ever reaching the secure channel,” the Chrome workforce wrote within the submit concerning the safety replace.
TechRepublic contacted Apple and Google for commentary about this story. Apple referred us to the safety launch notes; Google has not responded on the time of publication.
