Apple released emergency updates to address two actively exploited zero-day vulnerabilities discovered in the WebKit browser engine used by iPhones, iPads, and MacBooks running versions of iOS 16.7.1.
The two out-of-bounds read vulnerabilities, designated CVE-2023-42916 and CVE-2023-42917, could allow threat actors to gain access to sensitive data and execute arbitrary code on the device. However, for the exploit to be successful, the target must visit a maliciously crafted webpage using the vulnerable device.
2023 has been a rough year for Apple in terms of threat actors exploiting vulnerabilities in its WebKit browser engine. In September 2023, Apple released a patch to address CVE-2023-41993, another actively exploited vulnerability that could lead to code execution while processing web content. It appears that the patch for this issue wasn’t completely effective, given the discovery of two similar vulnerabilities two months later.
The exploitation of these vulnerabilities can be achieved with phishing or watering hole attacks, during which threat actors must create and deliver content, via email or browser, that contains exploit code. When the malicious content is rendered by Apple WebKit, the exploit is triggered, and the device is compromised.
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Apple’s operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of affected Apple devices to update to the latest operating system as soon as possible.