Apple Releases Security Updates Addressing Actively Exploited Vulnerabilities

Two exploited zero-day vulnerabilities in Safari, iOS, iPadOS, watchOS, tvOS and macOS Sonoma could lead to arbitrary code execution or unauthorised access

Threat ID:: CC-4415
Threat Severity:: Medium
Published:: 1 December 2023 1:18 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Two exploited zero-day vulnerabilities in Safari, iOS, iPadOS, watchOS, tvOS and macOS Sonoma could lead to arbitrary code execution or unauthorised access

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 17.1.2

Safari

Versions: all prior to 17.1.2

iOS

Versions: all prior to 17.1.2

iPadOS

Versions: all prior to 14.1.2

macOS Sonoma

Versions: all prior to 10.2

watchOS

Versions: all prior to 17.2

tvOS

Threat details

Introduction

Apple have released security advisories to address two zero-day vulnerabilities in Safari, iOS, iPadOS, watchOS, tvOS and macOS Sonoma. An attacker could exploit these vulnerabilities to achieve arbitrary code execution or unauthorised access to sensitive information.

The first is an out-of-bounds read vulnerability, known as CVE-2023-42916, which could allow an attacker to read sensitive confidential information.

The second is a memory corruption vulnerability, known as CVE-2023-42917, which could allow an attacker to perform arbitrary code execution. This could allow the attacker to establish complete control over the targeted system.

Exploitation of CVE-2023-42916 and CVE-2023-42917

Apple is aware of a report that CVE-2023-42916 and CVE-2023-42917 may have been exploited against versions of iOS before iOS 16.7.1.

Threat updates

Date	Update
12 Dec 2023	CVE-2023-42916 and CVE-2023-42917 also affect watchOS and tvOS The cyber alert has been updated to reflect this change.

Remediation advice

Affected organisations are encouraged to review the following Apple security advisories and apply any relevant updates or workarounds.

Remediation steps

Type	Step
Patch	Safari 17.1.2 \| HT214033 https://support.apple.com/kb/HT214033
Patch	iOS 17.1.2 and iPadOS 17.1.2 \| HT214031 https://support.apple.com/kb/HT214031
Patch	macOS Sonoma 14.1.2 \| HT214032 https://support.apple.com/kb/HT214032
Patch	watchOS 10.2 \| HT214041 https://support.apple.com/kb/HT214041
Patch	tvOS 17.2 \| HT214040 https://support.apple.com/kb/HT214040

Definitive source of threat updates

https://support.apple.com/kb/HT201222

CVE Vulnerabilities

Status Published

CVE-2023-42916

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Status Published

CVE-2023-42917

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Last edited: 12 December 2023 4:16 pm