November 30, 2023 at 01:54PM
Apple addressed two WebKit vulnerabilities (CVE-2023-42916 and CVE-2023-42917) affecting pre-iOS 16.7.1 devices. Improved validation fixes an out-of-bounds read and improved locking resolves a memory corruption issue. Updates are available for macOS Monterey and Ventura. Potential exploitation of both issues has been reported.
Takeaways from the meeting:
1. An Apple advisory with ID HT214033 was issued, announcing security updates.
2. The release date for this update is set for November 30, 2023.
3. Two Common Vulnerabilities and Exposures (CVEs) were identified and addressed.
a. CVE-2023-42916: This vulnerability involved an out-of-bounds read that was fixed through improved input validation. The impact of this issue could have led to the disclosure of sensitive information when processing web content. There were reports that this vulnerability may have been exploited in versions of iOS prior to iOS 16.7.1.
b. CVE-2023-42917: This vulnerability was related to memory corruption and was fixed with improved locking mechanisms. The exploitation of this vulnerability could result in arbitrary code execution upon processing web content. It was reported that this issue might have been exploited in iOS versions before iOS 16.7.1.
4. The affected product for both vulnerabilities is WebKit, which is the underlying engine for the Safari browser and other web-related processes in Apple’s operating systems.
5. Updates to address these vulnerabilities are available for macOS Monterey and macOS Ventura.
It is important that the relevant teams are made aware of these updates and ensure that all affected systems are patched promptly to mitigate any risk of exploitation.