Apple emergency updates fix recent zero-days on older iPhones

"Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in security advisories published on December 4th.

The two vulnerabilities, now tracked as CVE-2023-42916 and CVE-2023-42917, were discovered within the WebKit browser engine, developed by Apple and used by the company's Safari web browser across its platforms (e.g., macOS, iOS, iPadOS).

They can let attackers obtain access to sensitive data through and execute arbitrary code using maliciously crafted webpages designed to exploit out-of-bounds and memory corruption bugs on unpatched devices.

On December 11th, Apple addressed the zero-days in iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2 with improved input validation and locking.

The company says the bugs are now also patched on the following list of devices:

• iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Apple TV HD and Apple TV 4K (all models)
• Apple Watch Series 4 and later

Clément Lecigne, a security researcher from Google's Threat Analysis Group (TAG), discovered and reported both zero-day vulnerabilities.

Although Apple has yet to provide details about the vulnerabilities' exploitation in attacks, researchers at Google TAG have frequently identified and disclosed information on zero-day flaws employed in state-sponsored surveillance software attacks targeting high-profile individuals, including journalists, opposition figures, and dissidents.

CISA also ordered Federal Civilian Executive Branch (FCEB) agencies last week, on December 4, to patch their devices against these two security vulnerabilities based on evidence of active exploitation.

Since the start of the year, Apple has patched 20 zero-day vulnerabilities exploited in attacks:

• two zero-days (CVE-2023-42916 and CVE-2023-42917) in November
• two zero-day (CVE-2023-42824 and CVE-2023-5217) in October
• five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September
• two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
• three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
• three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
• two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
• and another WebKit zero-day (CVE-2023-23529) in February

Source: .bleepingcomputer.com