Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

December 1, 2023 at 04:33PM

Apple has released critical updates for iOS, iPadOS, macOS, and Safari to fix two serious security vulnerabilities (CVE-2023-42916 & CVE-2023-42917) potentially exploited in targeted attacks. The flaws, identified by Google’s Clément Lecigne, affect a wide range of Apple devices and could allow data access and code execution. Concurrently, Google patched a Chrome bug (CVE-2023-6345). Users are advised to update their devices immediately.

Takeaways from Meeting:

1. Apple has released emergency updates to address security flaws in various devices and software, including iPhones, iPads, Macs, and the Safari web browser. These updates are critical and should be applied promptly.

2. Two specific bugs have been patched:
– CVE-2023-42916: An out-of-bounds read flaw that could allow access to sensitive information.
– CVE-2023-42917: A memory corruption vulnerability that could be exploited to execute arbitrary code on a device.

3. WebKit, the core engine for the Safari browser across Apple devices, is the component that contains these vulnerabilities.

4. A potential attack vector is identified as a malicious webpage that, when accessed, could hijack devices and compromise user data.

5. Affected Apple devices include:
– iPhone XS and later models
– Various iPad Pro models, starting from the iPad Pro 12.9-inch 2nd generation and later
– iPad Air (3rd generation and later), iPad (6th generation and later), iPad mini (5th generation and later)
– Macs running macOS Monterey, Ventura, and Sonoma

6. Apple has acknowledged that there may have been active exploitation of these flaws.

7. The vulnerabilities were discovered by Clément Lecigne of Google’s Threat Analysis Group, known for monitoring state-sponsored espionage and commercial spyware.

8. Prior targeted use of similar bugs has been observed in cyberattacks against high-profile individuals and groups, including politicians, journalists, activists, and more.

9. Additionally, Google patched a separate high-severity Chrome browser vulnerability (CVE-2023-6345), also discovered by Lecigne, which involved an integer overflow in the Skia graphics library.

10. Given the serious nature of these vulnerabilities and the possibility of targeted espionage, users are strongly advised to update their software across all affected devices to ensure security.

Action Items:
– Communicate to all relevant parties within the organization the necessity of updating Apple devices to the latest security patches immediately.
– Verify that all company devices, including iPhones, iPads, and Macs, are running the latest versions of iOS, iPadOS, macOS, and Safari to mitigate these security risks.
– Keep abreast of any further information from Apple regarding the exploited vulnerabilities and subsequent security measures.
– Update security protocols and training to include awareness of potential malicious web content and how to avoid it.
– Confirm the update of Chrome browsers to the patched version to prevent the exploited vulnerability discovered by Google’s TAG.

Full Article