CISA has also acknowledged the active exploitation of two vulnerabilities in the Apple WebKit browser engine. CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog and requested users to patch it before Dec 25, 2023.
Clément Lecigne of Google’s Threat Analysis Group has discovered the CVE-2023-42916 and CVE-2023-42917.
Apple, in its advisory, has mentioned that the vulnerability may have been exploited against versions of iOS before iOS 16.7.1.
CVE-2023-42916
This out-of-bounds read vulnerability may allow an attacker to disclose sensitive information while processing web content. The vulnerability has been addressed with improved input validation.
CVE-2023-42917
The memory corruption vulnerability may allow an attacker to perform arbitrary code execution while processing web content. The vulnerability has been addressed with improved locking.
Affected Versions
- Apple Safari versions prior to 17.1.2
- Apple macOS Sonoma versions prior to 14.1.2
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 6th generation and later
- iPad mini 5th generation and later
Mitigation
Customers must upgrade to the latest macOS Sonoma 14.1.2, iOS 17.1.2, iPadOS 17.1.2, and Safari 17.1.2 to patch the vulnerability.
For more information, please visit the Apple security advisories HT214031, HT214032, and HT214033.
Qualys Detection
Qualys customers can scan their devices with QIDs 379088, 379087, and 610530 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://support.apple.com/en-us/HT214033
https://support.apple.com/en-us/HT214032
https://support.apple.com/en-us/HT214031