Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year.
"Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday.
The two bugs were found in the WebKit browser engine (CVE-2023-42916 and CVE-2023-42917), allowing attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices via maliciously crafted webpages.
The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with improved input validation and locking.
The list of impacted Apple devices is quite extensive, and it includes:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- Macs running macOS Monterey, Ventura, Sonoma
Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.
While Apple has not released information regarding ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.
20 zero-days exploited in the wild in 2023
CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year.
Google TAG disclosed another zero-day bug (CVE-2023-42824) in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads.
Apple recently patched three more zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited by threat actors to deploy Predator spyware.
Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), fixed by Apple in September and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware.
Since the start of the year, Apple has also patched:
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February