Apple has released patches for a couple of security issues found within its Webkit web browser engine that the iPhone maker believes have had zero day exploitations.
Tracking them as CVE-2023-42916, and CVE-2023-42917, Apple said these vulnerabilities can be exploited while processing web content to leak sensitive information and execute arbitrary codes, respectively.
“Apple is aware of report(s) that the issue(s) may have been exploited against versions of iOS before iOS 16.7.1,” Apple said in the software release note.
To address the bugs, Apple has released patched updates for iOS, iPadOS, macOS, and Safari web browser.
Flaws allow info stealing and arbitrary code execution
Apple described that the CVE-2023-42916 allowed reading out-of-bounds memory while processing web content through an affected Webkit that could be exploited to leak sensitive browser information. CVE-2023-42917 was tagged as a memory corruption bug that could allow arbitrary code execution.
CVE-2023-42916 and CVE-2023-42917 were respectively patched with improved input validation and locking, according to Apple.
Clement Lecigne of Google’s Threat Analysis Group (TAG) was credited for discovering and reporting the flaws.
Apple did not share the exact nature of the exploits discovered in the wild. “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” Apple said.
The patches dubbed iOS 17.1.2, iPadOS 17.1.2, and Safari 17.1.2, have been released for a range of Apple devices suspected of carrying these vulnerabilities.
Webkit serves as a lucrative attack surface
Apple restricts third-party web browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, and others, to use any other browser engine than Webkit which makes it the prime target for attackers looking to infect Apple devices.
A new proof of concept (PoC) exploit published recently has been demonstrated by a group of US and German university professors to steal sensitive user data from Apple devices by improving on side channel attack techniques used by Spectre and MeltDown, which alarmed CISOs when the vulnerabilities first surfaced in 2018.
Apple has had a busy year of patches with several bugs in its devices being exploited in the wild. Earlier in June, the company patched a couple of remote code execution (RCE) zero days that were allegedly exploited under a digital spy campaign, Operation Triangulation.