The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. Credit: IDG Apple has released patches for a couple of security issues found within its Webkit web browser engine that the iPhone maker believes have had zero day exploitations. Tracking them as CVE-2023-42916, and CVE-2023-42917, Apple said these vulnerabilities can be exploited while processing web content to leak sensitive information and execute arbitrary codes, respectively. “Apple is aware of report(s) that the issue(s) may have been exploited against versions of iOS before iOS 16.7.1,” Apple said in the software release note. To address the bugs, Apple has released patched updates for iOS, iPadOS, macOS, and Safari web browser. Flaws allow info stealing and arbitrary code execution Apple described that the CVE-2023-42916 allowed reading out-of-bounds memory while processing web content through an affected Webkit that could be exploited to leak sensitive browser information. CVE-2023-42917 was tagged as a memory corruption bug that could allow arbitrary code execution. CVE-2023-42916 and CVE-2023-42917 were respectively patched with improved input validation and locking, according to Apple. Clément Lecigne of Google’s Threat Analysis Group (TAG) was credited for discovering and reporting the flaws. Apple did not share the exact nature of the exploits discovered in the wild. “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” Apple said. The patches dubbed iOS 17.1.2, iPadOS 17.1.2, and Safari 17.1.2, have been released for a range of Apple devices suspected of carrying these vulnerabilities. Webkit serves as a lucrative attack surface Apple restricts third-party web browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, and others, to use any other browser engine than Webkit which makes it the prime target for attackers looking to infect Apple devices. A new proof of concept (PoC) exploit published recently has been demonstrated by a group of US and German university professors to steal sensitive user data from Apple devices by improving on side channel attack techniques used by Spectre and MeltDown, which alarmed CISOs when the vulnerabilities first surfaced in 2018. Apple has had a busy year of patches with several bugs in its devices being exploited in the wild. Earlier in June, the company patched a couple of remote code execution (RCE) zero days that were allegedly exploited under a digital spy campaign, Operation Triangulation. Related content feature Low-tech tactics still top the IT security risk chart USB-based attacks, QR codes for phishing and social engineering continue to be some of the most effective, now more dangerous with the help of AI. By Rosalyn Page May 14, 2024 9 mins Cyberattacks Social Engineering Data and Information Security how-to Download the SASE and SSE enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what SASE (Secure Access Service Edge) and SSE (Secure Service Edge) can do for their organizations and how t By Neal Weinberg May 13, 2024 1 min Remote Access Security Network Security Enterprise Buyer’s Guides news IntelBroker steals classified data from the Europol website The agency said core operations remain unaffected even as IntelBroker claimed to possess classified, law enforcement data. By Shweta Sharma May 13, 2024 3 mins Data Breach Hacker Groups feature Ridding your network of NTLM The path to eradicating this ancient protocol and security sinkhole won’t be easy, but the time has come for its complete eradication. By David Strom May 13, 2024 8 mins Authentication Windows Security Network Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe