November 30, 2023 at 11:36PM
Apple rolled out updates for iOS, iPadOS, macOS, and Safari to fix two actively exploited WebKit vulnerabilities. These flaws could potentially leak sensitive data and enable arbitrary code execution. The affected versions precede iOS 16.7.1, and all WebKit-based browsers on Apple devices are impacted. Devices from iPhone XS and certain iPad and Mac models can update to the patched versions.
Meeting Summary:
Date: December 1, 2023
Topic: Apple Security Updates for Spyware/Threat Analysis
Key Points Discussed:
1. Apple has issued updates for iOS, iPadOS, macOS, and the Safari browser to rectify two actively exploited security vulnerabilities in WebKit.
2. The flaws are:
– CVE-2023-42916: An out-of-bounds read issue risking sensitive data exposure.
– CVE-2023-42917: A memory corruption issue potentially leading to arbitrary code execution.
3. The identified exploits were reportedly used on iOS versions prior to iOS 16.7.1, which was released on October 10, 2023.
4. ClĂ©ment Lecigne from Google’s Threat Analysis Group discovered and reported these vulnerabilities.
5. No extra details about the exploitation have been provided, but similar past vulnerabilities have been used to deploy spyware against high-risk individuals.
6. The WebKit engine being the sole allowed rendering engine for all third-party browsers on iOS and iPadOS increases the risk and impact of such vulnerabilities.
7. List of updates and the devices they apply to:
– iOS 17.1.2 and iPadOS 17.1.2: Available for iPhone XS and newer, various iPad models including the 2nd generation 12.9-inch iPad Pro and later, 3rd generation iPad Air and later, 6th generation iPad and later, and the 5th generation iPad mini and later.
– macOS Sonoma 14.1.2: Available for all Macs running macOS Sonoma.
– Safari 17.1.2: Available for Macs running macOS Monterey and macOS Ventura.
8. Totalling 19 zero-day exploits, these fixes add to the list of exploits addressed by Apple in the year 2023.
9. The update announcement closely follows Google’s own patch for a high-severity zero-day flaw in Chrome (CVE-2023-6345), marking the seventh such patch by Google this year.
Action Items:
– Ensure all relevant devices and software are updated to the newest patched versions.
Additional Information:
– Encouragement to follow the news source on Twitter and LinkedIn for more updates.